Mark J. Cox

**Name of the Vulnerable Software and Affected Versions** Exim versions 4.72 and earlier **Description** The issue allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the `spool directory` directive. **Recommendations** For Exim versions 4.72 and earlier, consider restricting the ability of the exim user account to specify alternate configuration files until a patch is available. As a temporary workaround, consider disabling the use of the `spool directory` directive in configuration files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Red Hat JBoss Enterprise Application Platform versions 4.2.0 through 4.2.0.CP07, 4.2.2GA and earlier, 4.3 versions prior to 4.3.0.CP07, 5.1.0GA and earlier **Description** The issue affects the Web Console in the Application Server, allowing remote attackers to inject arbitrary web script or HTML. This can be achieved via several parameters in createSnapshot.jsp and createThresholdMonitor.jsp, including `monitorName`, `objectName`, `attribute`, `period`, `threshold`, and `enabled`. **Recommendations** For versions 4.2.0 through 4.2.0.CP07, update to 4.2.0.CP08 or later. For 4.2.2GA and earlier, update to a version later than 4.2.2GA. For 4.3 versions prior to 4.3.0.CP07, update to 4.3.0.CP07 or later. For 5.1.0GA and earlier, update to a version later than 5.1.0GA. As a temporary workaround, consider restricting access to the createSnapshot.jsp and createThresholdMonitor.jsp pages until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Sun Java SE 6 versions prior to Update 17 **Description** The Java Web Start implementation does not properly handle the interaction between a signed JAR file and a JNLP application or applet. This issue is related to a regression. **Recommendations** For Sun Java SE 6 versions prior to Update 17, update to Update 17 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Sun Java SE versions 5.0 before Update 22 Sun Java SE versions 6 before Update 17 **Description** The issue is related to an unspecified vulnerability in the TrueType font parsing functionality. This vulnerability allows remote attackers to cause a denial of service, resulting in an application crash, via a certain test suite. **Recommendations** For Sun Java SE versions 5.0 before Update 22, update to Update 22 or later to resolve the issue. For Sun Java SE versions 6 before Update 17, update to Update 17 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.31-rc7 **Description** The issue allows local users to gain privileges by exploiting NULL pointer dereference vulnerabilities. This is related to the default configuration of the `allow unconfined mmap low` boolean in SELinux, an error that causes `allow unconfined mmap low` to be ignored, lack of a requirement for the `CAP SYS RAWIO` capability for certain mmap operations, and interaction between the `mmap min addr` protection mechanism and certain application programs. **Recommendations** For Linux kernel versions prior to 2.6.31-rc7, update to version 2.6.31-rc7 or later to resolve the issue. As a temporary workaround, consider restricting the use of mmap operations that target low memory addresses to minimize the risk of exploitation. Additionally, review and adjust the configuration of the `allow unconfined mmap low` boolean in SELinux to ensure it is properly set.

**Name of the Vulnerable Software and Affected Versions** Mozilla Network Security Services (NSS) versions prior to 3.12.3 **Description** A heap-based buffer overflow issue exists in the regular-expression parser of Mozilla Network Security Services (NSS), which can be triggered by a long domain name in the subject's Common Name (CN) field of an X.509 certificate. This issue may allow remote SSL servers to cause a denial of service (application crash) or possibly execute arbitrary code. The issue is related to the `cert TestHostName` function. **Recommendations** For versions prior to 3.12.3, update to version 3.12.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `cert TestHostName` function until a patch is available. Avoid using long domain names in the subject's Common Name (CN) field of an X.509 certificate to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** capp-lspp-eal4-config-hp versions prior to 0.65-2 capp-lspp-config in lspp-eal4-config-ibm versions prior to 0.65-2 **Description** The issue arises from the Replace function in the capp-lspp-config script, which uses `lstat` instead of `stat` to determine file permissions. This leads to a change in permissions for the /etc/pam.d/system-auth-ac file, making it world-writable. As a result, local users can modify this file to gain privileges. **Recommendations** For capp-lspp-eal4-config-hp versions prior to 0.65-2, update to version 0.65-2 or later. For capp-lspp-config in lspp-eal4-config-ibm versions prior to 0.65-2, update to version 0.65-2 or later.

**Name of the Vulnerable Software and Affected Versions** OpenPegasus CIM management server (tog-pegasus) versions 2.5.1 through 2.6.1 **Description** The issue is related to a stack-based buffer overflow in the PAMBasicAuthenticator::PAMCallback function, which might allow remote attackers to execute arbitrary code. This could lead to a disruption of confidentiality, integrity, and availability of protected information. The exploitation of this issue can be done remotely. **Recommendations** For OpenPegasus CIM management server (tog-pegasus) version 2.5.1, consider updating to a version outside of the affected range. For OpenPegasus CIM management server (tog-pegasus) version 2.6.1, consider updating to a version outside of the affected range. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel version 2.6.16 and earlier **Description** The issue concerns the `sys mbind` function in `mempolicy.c`, which fails to perform a sanity check on the `maxnod` variable before proceeding with computations for the `get nodes` function. The impact and attack vectors of this issue are not explicitly stated. **Recommendations** For Linux kernel version 2.6.16 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fedora Directory Server version 1.0 **Description** The issue allows remote attackers to cause a denial of service, resulting in a crash, by sending a certain "bad BER sequence" that leads to the freeing of uninitialized memory. This can be demonstrated using the ProtoVer LDAP test suite. **Recommendations** For Fedora Directory Server version 1.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel in Red Hat Enterprise Linux 4 Description: The issue is related to the rw vm function in usercopy.c, which does not perform proper bounds checking. This allows local users to cause a denial of service, resulting in a system crash. Recommendations: For Linux kernel in Red Hat Enterprise Linux 4, consider applying a patch that fixes the bounds checking issue in the rw vm function as a permanent solution. As a temporary workaround, restrict local user privileges to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Groff package versions 1.18 and later Description: The issue allows local users to overwrite files via a symlink attack on temporary files created by the groffer script. This is a problem in the Groff package, which is used in various operating systems, including Trustix Secure Linux versions 1.5 through 2.1. Recommendations: For Groff package versions 1.18 and later, consider restricting access to the groffer script until a fix is available, or apply configuration changes to prevent the creation of temporary files that can be targeted by a symlink attack.

**Name of the Vulnerable Software and Affected Versions** lvm package versions 1.5 through 2.1 **Description** The issue allows local users to overwrite files via a symlink attack on temporary files, potentially leading to disruption of protected information integrity. This can be exploited by a local attacker. **Recommendations** For lvm package versions 1.5 through 2.1, consider restricting access to the lvmcreate initrd script as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** iptables (affected versions not specified) **Description** The issue allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface, specifically through the `ipq read` and `ipulog read` functions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SUSE Linux Enterprise (affected versions not specified) Linux kernel versions prior to 2.6.13.1 **Description** The issue affects the Linux kernel and SUSE Linux Enterprise, involving multiple vulnerabilities in various packages. These vulnerabilities can be exploited locally, potentially leading to disruptions in confidentiality, integrity, and availability of protected information. The raw sendmsg function in the Linux kernel is specifically mentioned as allowing local users to cause a denial of service or read from arbitrary memory via crafted input. **Recommendations** For Linux kernel versions prior to 2.6.13.1, update to version 2.6.13.1 or later to resolve the issue. For SUSE Linux Enterprise, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openSUSE (affected versions not specified) **Description** The issue involves multiple vulnerabilities in various packages of the openSUSE operating system, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openSUSE (affected versions not specified) Linux kernel before 2.6.13 kernel-patch-2.4.27-s390 **Description** The issue involves multiple vulnerabilities in various packages of the openSUSE operating system, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. Additionally, a vulnerability in the Linux kernel before version 2.6.13 allows local users to cause a denial of service (crash) via a dio transfer from the sg driver to memory mapped (mmap) IO space. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Debian GNU/Linux kernel-image-2.6.8-13-amd64-k8-smp Debian GNU/Linux kernel-headers-2.6-itanium Debian GNU/Linux kernel-image-2.6.8-4-itanium-smp Debian GNU/Linux kernel-image-2.6.8-atari Debian GNU/Linux hostap-modules-2.6.8-4-686-smp Debian GNU/Linux kernel-build-2.6.8-4 Debian GNU/Linux kernel-image-2.6.8-mvme16x Debian GNU/Linux kernel-headers-2.6.8-4-64-smp Debian GNU/Linux kernel-image-2.6.8-4-powerpc Debian GNU/Linux kernel-build-2.6.8-4-powerpc-smp Debian GNU/Linux kernel-image-2.6.8-4-power3 Debian GNU/Linux kernel-doc-2.6.8 Debian GNU/Linux kernel-headers-2.6.8-4 Debian GNU/Linux kernel-image-2.6.8-4-power4-smp Debian GNU/Linux hostap-modules-2.4.27-3-586tsc Debian GNU/Linux kernel-headers-2.6-mckinley Debian GNU/Linux kernel-image-2.6.8-4-itanium Debian GNU/Linux kernel-image-2.6.8-q40 Debian GNU/Linux kernel-image-2.6.8-13-em64t-p4-smp Debian GNU/Linux kernel-image-2.6.8-4-64 Debian GNU/Linux kernel-image-2.6.8-4-mckinley Debian GNU/Linux kernel-tree-2.6.8 Debian GNU/Linux kernel-image-2.6.8-4-smp Debian GNU/Linux kernel-build-2.6.8-4-powerpc Debian GNU/Linux kernel-headers-2.6.8-4-mckinley Debian GNU/Linux kernel-headers-2.6.8-4-sparc64 Debian GNU/Linux kernel-headers-2.6-itanium-smp Debian GNU/Linux kernel-image-2.6.8-4-powerpc-smp Debian GNU/Linux kernel-image-2.6.8-4-686 Debian GNU/Linux hostap-modules-2.6.8-4-686 Debian GNU/Linux hostap-modules-2.6.8-4-k7-smp Debian GNU/Linux kernel-headers-2.6.8-13-amd64-generic Debian GNU/Linux kernel-build-2.6.8-4-power4 Debian GNU/Linux kernel-image-2.6.8-4-sparc64-smp Debian GNU/Linux kernel-image-2.6.8-4-power3-smp Debian GNU/Linux kernel-headers-2.6.8-13 Debian GNU/Linux kernel-image-2.6.8-13-amd64-k8 Debian GNU/Linux kernel-image-2.6.8-4-s390-tape Debian GNU/Linux kernel-image-2.6.8-4-64-smp Debian GNU/Linux kernel-image-2.6.8-4-sparc64 Debian GNU/Linux hostap-modules-2.4.27-3-k6 Debian GNU/Linux kernel-image-2.6.8-mac Debian GNU/Linux kernel-headers-2.6.8-4-64 Debian GNU/Linux hostap-modules-2.4.27-3-686-smp Debian GNU/Linux kernel-image-2.6.8-4-32-smp Debian GNU/Linux kernel-image-2.6.8-hp Debian GNU/Linux kernel-image-2.6.8-4-s390x Debian GNU/Linux kernel-headers-2.6.8-4-itanium-smp Debian GNU/Linux kernel-headers-2.6-mckinley-smp Debian GNU/Linux kernel-image-2.6.8-bvme6000 Debian GNU/Linux kernel-headers-2.6.8-4-mckinley-smp Debian GNU/Linux kernel-image-2.6.8-4-power4 Debian GNU/Linux kernel-image-2.6.8-4-mckinley-smp Debian GNU/Linux kernel-source-2.6.8 Debian GNU/Linux kernel-patch-debian-2.6.8 Debian GNU/Linux kernel-headers-2.6.8-4-sparc64-smp Debian GNU/Linux kernel-headers-2.6.8-13-em64t-p4-smp Debian GNU/Linux kernel-image-2.6.8-4-generic Debian GNU/Linux kernel-headers-2.6.8-4-itanium Debian GNU/Linux kernel-build-2.6.8-4-power3-smp Debian GNU/Linux kernel-image-2.6.8-4-k7 Debian GNU/Linux kernel-image-2.6.8-sun3 Debian GNU/Linux kernel-headers-2.6.8-13-em64t-p4 Debian GNU/Linux hostap-modules-2.4.27-3-686 Debian GNU/Linux kernel-headers-2.6.8-4-686 Debian GNU/Linux kernel-image-2.6.8-4-k7-smp Debian GNU/Linux kernel-headers-2.6.8-4-smp Debian GNU/Linux kernel-image-2.6.8-13-em64t-p4 Debian GNU/Linux kernel-image-2.6.8-4-32 Debian GNU/Linux kernel-headers-2.6.8-4-686-smp Debian GNU/Linux kernel-headers-2.6.8-4-sparc32 Debian GNU/Linux hostap-modules-2.4.27-3-k7-smp Debian GNU/Linux kernel-image-2.6.8-13-amd64-generic Debian GNU/Linux kernel-headers-2.6.8-4-386 Debian GNU/Linux kernel-headers-2.6.8-4-k7-smp Debian GNU/Linux hostap-modules-2.6.8-4-386 Debian GNU/Linux kernel-headers-2.6.8-4-32 Debian GNU/Linux kernel-patch-2.6.8-s390 Debian GNU/Linux kernel-build-2.6.8-4-power3 Debian GNU/Linux hostap-modules-2.6.8-4-k7 Debian GNU/Linux hostap-modules-2.4.27-3-386 Debian GNU/Linux kernel-headers-2.6.8-4-k7 Debian GNU/Linux kernel-build-2.6.8-4-power4-smp Debian GNU/Linux kernel-headers-2.6.8-4-32-smp Debian GNU/Linux kernel-image-2.6.8-amiga Debian GNU/Linux kernel-image-2.6.8-4-686-smp Debian GNU/Linux kernel-headers-2.6.8-13-amd64-k8 Linux kernel 2.6 **Description** The issue is related to multiple vulnerabilities in the Debian GNU/Linux kernel and related packages. These vulnerabilities can be exploited remotely, potentially leading to a denial of service (crash) or disruption of protected information. The hugepage code in the Linux kernel 2.6 is also affected, allowing local users to cause a denial of service by triggering an mmap error before a prefault. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lynx versions 2.8.6 and earlier **Description** The issue is related to multiple vulnerabilities in the Lynx package, which can lead to a breach of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. Specifically, a stack-based buffer overflow in the `HTrjis` function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters. **Recommendations** For versions 2.8.6 and earlier, consider disabling the `HTrjis` function as a temporary workaround until a patch is available. Restrict access to NNTP servers to minimize the risk of exploitation. Avoid using article headers containing Asian characters in the affected Lynx versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Debian GNU/Linux kernel versions prior to 2.6.15 SUSE Linux Enterprise kernel (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in the Linux kernel, which can lead to a violation of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The auto-reap of child processes in Linux kernel 2.6 before 2.6.15 includes processes with ptrace attached, which leads to a dangling ptrace reference and allows local users to cause a denial of service (crash) and gain root privileges. **Recommendations** For Debian GNU/Linux kernel versions prior to 2.6.15, update to a version 2.6.15 or later to resolve the issue. For SUSE Linux Enterprise kernel, at the moment, there is no information about a newer version that contains a fix for this vulnerability.