The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Squeeze

vulnerability CVE-2010-1938

libopie: overflow of one byte

Synthesis of the vulnerability

An attacker can use a special login name, in order to generate an overflow of one byte in applications linked to libopie, leading to a denial of service, and possibly to code execution.
Impacted products: Debian, FreeBSD, openSUSE, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Creation date: 27/05/2010.
Identifiers: BID-40403, CERTA-2003-AVI-037, CERTA-2010-AVI-233, CVE-2010-1938, DSA-2281-1, FreeBSD-SA-10:05.opie, VIGILANCE-VUL-9670.

Description of the vulnerability

The libopie library implements OPIE (One time Passwords In Everything), to use a different password for each session. The libopie library is for example installed on FreeBSD and openSUSE.

The opiereadrec() function of the libopie/readrec.c file copies the login name into a 32 bytes array. If the name is longer, it is truncated, by setting a '\0' at the 32th position (the index starts at zero). However, this character is located just after the end of the array.

An attacker can therefore use a special login name, in order to generate an overflow of one byte in applications linked to libopie, leading to a denial of service, and possibly to code execution.

The ftpd daemon of FreeBSD is for example impacted.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2008-4242 CVE-2008-4247

ProFTPD, BSD, Solaris: Cross Site Request Forgery of FTP

Synthesis of the vulnerability

An attacker can use a CSRF in order to execute FTP commands with privileges of the victim seeing an HTML page.
Impacted products: Debian, Fedora, FreeBSD, Mandriva Corporate, Mandriva Linux, NetBSD, OpenBSD, OpenSolaris, Solaris, Trusted Solaris, ProFTPD, WU-FTPD.
Severity: 2/4.
Creation date: 22/09/2008.
Revisions dates: 01/10/2008, 24/05/2010.
Identifiers: BID-31289, BID-40320, CERTA-2002-AVI-217, CERTA-2008-AVI-471, cpujul2010, CVE-2008-4242, CVE-2008-4247, DSA-1689-1, FEDORA-2009-0064, FEDORA-2009-0089, FEDORA-2009-0195, FreeBSD-SA-08:12.ftpd, FreeBSD-SA-09:01.lukemftpd, MDVSA-2009:061, NetBSD-SA2008-014, VIGILANCE-VUL-8123.

Description of the vulnerability

The FTP protocol works with sequences of commands and answers. For example:
  Client: MKD dir1
  Server: 257 "dir1" directory created
  Client: MKD dir2
  Server: 257 "dir2" directory created

The ProFTPD (possibly WU-FTPD) daemon and FTP services of BSD/Solaris have an implementation error. Indeed, commands longer than 512 bytes are split in two commands. For example:
  Client: MKD //////.../dir1MKD dir2
  Server: 257 "/////.../dir1" directory created
  Server: 257 "dir2" directory created
In this case, "MKD //////.../dir1MKD dir2" is split as "MKD //////.../dir1" and "MKD dir2"

An attacker can therefore create a HTML page containing an image with the following url:
  ftp://user@localhost/////.../SYST
Which is equivalent to:
  LIST /////.../
  SYST
If the "user" victim has no password to access to his "localhost" FTP server, the SYST command is executed when the HTML page is displayed.

An attacker can therefore use a CSRF in order to execute FTP commands with privileges of the victim seeing an HTML page.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2010-1644

Cacti: three Cross Site Scripting

Synthesis of the vulnerability

Three Cross Site Scripting of Cacti can be used by an attacker in order to execute JavaScript code in the context of the web site.
Impacted products: Cacti, Debian, Fedora, Mandriva Corporate, MES, RHEL.
Severity: 2/4.
Creation date: 24/05/2010.
Identifiers: BID-40332, CVE-2010-1644, DSA-2384-1, DSA-2384-2, FEDORA-2010-9036, FEDORA-2010-9047, FEDORA-2010-9062, MDVSA-2010:160, RHSA-2010:0635-01, VIGILANCE-VUL-9660.

Description of the vulnerability

Three Cross Site Scripting were announced in Cacti.

The hostname parameter is not correctly filtered. [severity:2/4]

The host_id parameter is not correctly filtered. [severity:2/4]

The description parameter is not correctly filtered. [severity:2/4]

An attacker can therefore execute JavaScript code in the context of the Cacti web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2010-1447

Perl: bypassing Safe.pm via sub references

Synthesis of the vulnerability

An attacker can use a reference on a subroutine, in order to bypass restrictions imposed by the Safe.pm module of Perl.
Impacted products: Debian, Fedora, NSMXpress, Mandriva Corporate, MES, Mandriva Linux, Mandriva NF, openSUSE, Perl Module ~ not comprehensive, RHEL, SLES, ESX.
Severity: 2/4.
Creation date: 21/05/2010.
Identifiers: 588269, BID-40305, CVE-2010-1447, DSA-2267-1, FEDORA-2010-11323, FEDORA-2010-11340, MDVSA-2010:115, openSUSE-SU-2010:0518-1, openSUSE-SU-2010:0519-1, PSN-2012-08-686, PSN-2012-08-687, PSN-2012-08-688, PSN-2012-08-689, PSN-2012-08-690, RHSA-2010:0457-01, RHSA-2010:0458-02, SUSE-SR:2010:016, VIGILANCE-VUL-9658, VMSA-2010-0013, VMSA-2010-0013.1, VMSA-2010-0013.2, VMSA-2010-0013.3.

Description of the vulnerability

The Safe.pm module creates an environment restricting Perl features:
 - Safe::reval("here a Perl code") : the Perl code is restricted
 - Safe::rdo("file") : the Perl code located inside the file is restricted

However, a malicious Perl code can define a reference on a subroutine, which is used after the restricted environment.

An attacker can therefore use a reference on a subroutine, in order to bypass restrictions imposed by the Safe.pm module of Perl.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2010-1169 CVE-2010-1170 CVE-2010-1447

PostgreSQL: five vulnerabilities

Synthesis of the vulnerability

An attacker can use five vulnerabilities of PostgreSQL, in order to execute code or to generate a denial of service.
Impacted products: Debian, Fedora, HPE NNMi, NSMXpress, Mandriva Corporate, MES, Mandriva Linux, OpenSolaris, openSUSE, Solaris, PostgreSQL, RHEL, SLES.
Severity: 2/4.
Creation date: 18/05/2010.
Revision date: 21/05/2010.
Identifiers: BID-40215, BID-40304, BID-40305, c03333585, CERTA-2010-AVI-214, CVE-2010-1169, CVE-2010-1170, CVE-2010-1447, CVE-2010-1975, DSA-2051-1, FEDORA-2010-15870, FEDORA-2010-16004, FEDORA-2010-8696, FEDORA-2010-8715, FEDORA-2010-8723, HPSBMU02781, MDVSA-2010:103, PSN-2012-08-686, PSN-2012-08-687, PSN-2012-08-688, PSN-2012-08-689, PSN-2012-08-690, RHSA-2010:0427-01, RHSA-2010:0428-01, RHSA-2010:0429-01, RHSA-2010:0430-01, SSRT100617, SUSE-SR:2010:014, SUSE-SR:2010:016, VIGILANCE-VUL-9647.

Description of the vulnerability

Five vulnerabilities were announced in PostgreSQL.

An attacker can define methods or overload operators, in order to bypass restrictions imposed by the Safe.pm module of Perl. This vulnerability is a variant of VIGILANCE-VUL-9657/CVE-2010-1168. [severity:2/4; CVE-2010-1169]

An attacker can use a reference on a subroutine, in order to bypass restrictions imposed by the Safe.pm module of Perl (VIGILANCE-VUL-9658). [severity:2/4; BID-40305, CERTA-2010-AVI-214, CVE-2010-1447]

When the Procedure Language PL/tcl is installed, a local attacker can store malicious data using autoload() in the pltcl_modules table in order to execute code. [severity:2/4; CVE-2010-1170]

When a Warm Standby slave database is used by PostgreSQL 8.4, the WAL (Write-Ahead Logging) data for "ALTER table SET TABLESPACE" is invalid, so the slave database is corrupted. An attacker can therefore use this command, in order to generate a denial of service. [severity:1/4]

An attacker can use RESET ALL in order to reset some privileged fields of one of his databases, or of his record in the USER database. [severity:1/4; BID-40304, CVE-2010-1975]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2009-4032

Cacti: four Cross Site Scripting

Synthesis of the vulnerability

Four Cross Site Scripting of Cacti can be used by an attacker in order to execute JavaScript code in the context of the web site.
Impacted products: Cacti, Debian, Fedora, NLD, OES, openSUSE, RHEL, SLES.
Severity: 2/4.
Creation date: 20/05/2010.
Identifiers: BID-37109, CVE-2009-4032, DSA-1954-1, FEDORA-2009-12560, FEDORA-2009-12575, RHSA-2010:0635-01, SUSE-SR:2009:020, VIGILANCE-VUL-9656.

Description of the vulnerability

Four Cross Site Scripting were announced in Cacti.

The graph_end parameter of the graph.php script is not correctly filtered. [severity:2/4]

The date1 parameter of the graph_view.php script is not correctly filtered. [severity:1/4]

The page_refresh/default_dual_pane_width parameter of the graph_settings.php script is not correctly filtered. [severity:1/4]

The graph_start parameter of the graph.php script is not correctly filtered. [severity:2/4]

An attacker can therefore execute JavaScript code in the context of the Cacti web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2010-1626

MySQL: deleting a MyISAM table

Synthesis of the vulnerability

When a MySQL database uses the MyISAM engine, an attacker can delete a table or an index.
Impacted products: Debian, Mandriva Corporate, MES, Mandriva Linux, MySQL Community, MySQL Enterprise, openSUSE, Solaris, Percona Server, XtraDB Cluster, RHEL, SLES.
Severity: 1/4.
Creation date: 19/05/2010.
Identifiers: BID-40257, CERTA-2013-AVI-543, CVE-2010-1626, DSA-2057-1, MDVSA-2010:101, openSUSE-SU-2010:0730-1, openSUSE-SU-2010:0731-1, RHSA-2010:0442-01, SUSE-SR:2010:019, SUSE-SR:2010:021, VIGILANCE-VUL-9652.

Description of the vulnerability

A MySQL database can use a MyISAM or InnoDB engine.

An attacker can create a MyISAM table stored in a directory where he can edit files. He can then replace the file by a symbolic link to another table. When the first table is deleted, the other table is thus deleted.

When a MySQL database uses the MyISAM engine, an attacker can therefore delete a table or an index.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2010-1321

MIT krb5: denial of service via GSS-API

Synthesis of the vulnerability

An authenticated attacker can send a malicious GSS-API token, in order to stop some MIT krb5 applications.
Impacted products: Debian, Fedora, HP-UX, Mandriva Corporate, MES, Mandriva Linux, MIT krb5, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, SLES, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Creation date: 19/05/2010.
Identifiers: BID-40235, c02257427, CVE-2010-1321, DSA-2052-1, FEDORA-2010-8749, FEDORA-2010-8796, FEDORA-2010-8805, HPSBUX02544, MDVSA-2010:100, MDVSA-2010:129, MDVSA-2010:130, MITKRB5-SA-2010-005, RHSA-2010:0423-01, SSRT100107, SUSE-SR:2010:013, SUSE-SR:2010:014, SUSE-SR:2010:015, SUSE-SR:2010:019, SUSE-SR:2011:008, VIGILANCE-VUL-9651, VMSA-2010-0013, VMSA-2010-0013.1, VMSA-2010-0013.2, VMSA-2010-0013.3, VMSA-2010-0016, VMSA-2010-0016.1.

Description of the vulnerability

The MIT Kerberos GSS-API (Generic Security Service Application Program Interface) library is used by GSS-API Server Applications. For example, the kadmind daemon uses this library.

A GSS-API token contains a checksum. However, if this checksum is missing, the krb5_gss_accept_sec_context() function dereferences a NULL pointer.

An authenticated attacker can therefore send a malicious GSS-API token, in order to stop some MIT krb5 applications.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2010-1848 CVE-2010-1849 CVE-2010-1850

MySQL: four vulnerabilities

Synthesis of the vulnerability

Four vulnerabilities of MySQL can be used by a local attacker in order to access to tables, to execute code, or to generate a denial of service.
Impacted products: Debian, Fedora, Mandriva Corporate, MES, Mandriva Linux, MySQL Community, MySQL Enterprise, openSUSE, Percona Server, XtraDB Cluster, RHEL, SLES.
Severity: 2/4.
Creation date: 17/05/2010.
Identifiers: 48419, 50974, 53237, 53371, BID-40100, BID-40106, BID-40109, CERTA-2010-AVI-223, CVE-2010-1848, CVE-2010-1849, CVE-2010-1850, DSA-2057-1, FEDORA-2010-9016, FEDORA-2010-9053, FEDORA-2010-9061, MDVSA-2010:107, openSUSE-SU-2010:0730-1, openSUSE-SU-2010:0731-1, RHSA-2010:0442-01, RHSA-2010:0824-01, SUSE-SR:2010:019, SUSE-SR:2010:021, VIGILANCE-VUL-9644.

Description of the vulnerability

Four vulnerabilities were announced in MySQL.

An attacker can use the COM_FIELD_LIST command, in order to read or delete a table. [severity:2/4; 53371, BID-40109, CERTA-2010-AVI-223, CVE-2010-1848]

An attacker can generate a buffer overflow in the COM_FIELD_LIST command, in order to execute code. [severity:2/4; 53237, BID-40106, CVE-2010-1850]

An attacker can use a long packet, in order to generate an infinite loop. [severity:1/4; 50974, BID-40100, CVE-2010-1849]

An attacker can use an EXPLAIN on a query containing a sub-query, in order to stop the service. [severity:1/4; 48419]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2010-2092

Cacti: SQL injection via rra_id

Synthesis of the vulnerability

An attacker can use the rra_id variable, in order to inject SQL code in the Cacti database.
Impacted products: Cacti, Debian, Fedora, MES, RHEL.
Severity: 3/4.
Creation date: 17/05/2010.
Identifiers: BID-40149, CERTA-2002-AVI-268, CVE-2010-2092, DSA-2060-1, FEDORA-2010-9036, FEDORA-2010-9047, FEDORA-2010-9062, MDVSA-2010:117, MOPS-2010-023, RHSA-2010:0635-01, VIGILANCE-VUL-9642.

Description of the vulnerability

The Cacti product uses a MySQL database and RRDtool (Round Robin Database), to store information. Graphs are displayed on an Apache+PHP web site, via the "graph.php" page.

The "rra_id" parameter of "graph.php" indicates the number of the Round Robin Archive to display. This parameter is not correctly checked when it is indicated twice: in a POST/Cookie variable and in the GET url.

An attacker can thus use a query with:
 - a GET "action" parameter containing "zoom", and
 - a GET "rra_id" parameter containing "1 AND 1=1" (here, the SQL injection), and
 - a Cookie "rra_id" containing 123 (here the valid identifier).

An attacker can therefore use the rra_id variable, in order to inject SQL code in the Cacti database.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Squeeze: