Canonical Ubuntu Linux 9.04

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

Published: 2010-12-06T21:00:00.000Z
Updated: 2024-08-07T03:34:37.524Z

The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.

Published: 2010-12-06T20:00:00.000Z
Updated: 2025-10-22T00:05:50.418Z

The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel before 2.6.36 does not properly validate the hmac_ids array of an SCTP peer, which allows remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array.

Published: 2010-11-26T19:00:00.000Z
Updated: 2024-08-07T03:18:53.067Z

The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, and possibly other products allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference.

Published: 2010-11-05T17:00:00.000Z
Updated: 2024-08-07T03:18:52.995Z

The tcf_act_police_dump function in net/sched/act_police.c in the actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc4 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel memory via vectors involving a dump operation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2942.

Published: 2010-09-21T19:00:00.000Z
Updated: 2024-08-07T03:11:44.267Z

ctcphandler.cpp in Quassel before 0.6.3 and 0.7.x before 0.7.1 allows remote attackers to cause a denial of service (unresponsive IRC) via multiple Client-To-Client Protocol (CTCP) requests in a PRIVMSG message.

Published: 2013-11-23T11:00:00.000Z
Updated: 2024-08-07T03:11:43.740Z

Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.

Published: 2010-10-04T20:00:00.000Z
Updated: 2024-08-07T03:11:44.277Z

Integer signedness error in the pkt_find_dev_from_minor function in drivers/block/pktcdvd.c in the Linux kernel before 2.6.36-rc6 allows local users to obtain sensitive information from kernel memory or cause a denial of service (invalid pointer dereference and system crash) via a crafted index value in a PKT_CTRL_CMD_STATUS ioctl call.

Published: 2010-10-04T20:00:00.000Z
Updated: 2024-08-07T03:11:43.945Z

The sctp_packet_config function in net/sctp/output.c in the Linux kernel before 2.6.35.6 performs extraneous initializations of packet data structures, which allows remote attackers to cause a denial of service (panic) via a certain sequence of SCTP traffic.

Published: 2010-11-20T21:00:00.000Z
Updated: 2024-08-07T03:11:44.070Z

Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel before 2.6.36-rc5-next-20100923 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions.

Published: 2010-09-29T16:00:00.000Z
Updated: 2024-08-07T03:03:18.941Z

Buffer overflow in the niu_get_ethtool_tcam_all function in drivers/net/niu.c in the Linux kernel before 2.6.36-rc4 allows local users to cause a denial of service or possibly have unspecified other impact via the ETHTOOL_GRXCLSRLALL ethtool command.

Published: 2010-09-29T16:00:00.000Z
Updated: 2024-08-07T02:55:46.671Z

Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device.

Published: 2010-09-21T17:00:00.000Z
Updated: 2024-08-07T02:55:46.788Z

The xfs_ioc_fsgetxattr function in fs/xfs/linux-2.6/xfs_ioctl.c in the Linux kernel before 2.6.36-rc4 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an ioctl call.

Published: 2010-09-21T17:00:00.000Z
Updated: 2024-08-07T02:55:46.788Z

Stack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse functions in Samba before 3.5.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Windows Security ID (SID) on a file share.

Published: 2010-09-15T17:26:00.000Z
Updated: 2024-08-07T02:55:46.813Z

Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.

Published: 2010-09-21T17:00:00.000Z
Updated: 2024-08-07T02:55:46.611Z

drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device.

Published: 2010-11-26T18:23:00.000Z
Updated: 2024-08-07T02:55:45.531Z

The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel 2.6.35.4 and earlier expects that a certain parent session keyring exists, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function.

Published: 2010-09-08T19:00:00.000Z
Updated: 2024-08-07T02:55:45.833Z

The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size.

Published: 2010-09-08T19:00:00.000Z
Updated: 2024-08-07T02:55:45.505Z

The irda_bind function in net/irda/af_irda.c in the Linux kernel before 2.6.36-rc3-next-20100901 does not properly handle failure of the irda_open_tsap function, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket.

Published: 2010-09-03T19:00:00.000Z
Updated: 2024-08-07T02:55:45.504Z

fs/jfs/xattr.c in the Linux kernel before 2.6.35.2 does not properly handle a certain legacy format for storage of extended attributes, which might allow local users by bypass intended xattr namespace restrictions via an "os2." substring at the beginning of a name.

Published: 2010-09-29T16:00:00.000Z
Updated: 2024-08-07T02:55:45.371Z

The actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc2 does not properly initialize certain structure members when performing dump operations, which allows local users to obtain potentially sensitive information from kernel memory via vectors related to (1) the tcf_gact_dump function in net/sched/act_gact.c, (2) the tcf_mirred_dump function in net/sched/act_mirred.c, (3) the tcf_nat_dump function in net/sched/act_nat.c, (4) the tcf_simp_dump function in net/sched/act_simple.c, and (5) the tcf_skbedit_dump function in net/sched/act_skbedit.c.

Published: 2010-09-21T17:00:00.000Z
Updated: 2024-08-07T02:55:45.364Z

Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font.

Published: 2010-08-19T17:43:00.000Z
Updated: 2024-08-07T02:46:48.199Z

FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Published: 2010-08-19T17:43:00.000Z
Updated: 2024-08-07T02:46:48.156Z

Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow.

Published: 2010-08-19T17:43:00.000Z
Updated: 2024-08-07T02:46:48.031Z

The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Published: 2010-08-19T17:43:00.000Z
Updated: 2024-08-07T02:46:48.055Z

The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c.

Published: 2010-09-08T19:00:00.000Z
Updated: 2024-08-07T02:46:48.446Z

Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Published: 2010-08-19T17:43:00.000Z
Updated: 2024-08-07T02:39:36.789Z

Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Published: 2010-08-19T17:43:00.000Z
Updated: 2024-08-07T02:39:36.500Z

The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a "cache stuffing" issue and MS-DFS referrals.

Published: 2010-09-08T19:00:00.000Z
Updated: 2024-08-07T02:39:36.815Z

Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Published: 2010-08-19T17:43:00.000Z
Updated: 2024-08-07T02:39:36.739Z

Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted length value in a POST fragment header in a font file.

Published: 2010-08-19T17:43:00.000Z
Updated: 2024-08-07T02:39:36.482Z

Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Published: 2010-08-19T17:43:00.000Z
Updated: 2024-08-07T02:32:16.861Z

Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LaserWriter PS font file with an embedded PFB fragment.

Published: 2010-08-19T17:43:00.000Z
Updated: 2024-08-07T02:32:16.891Z

The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file that triggers an invalid free operation.

Published: 2010-08-19T17:43:00.000Z
Updated: 2024-08-07T02:32:16.854Z

The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP implementation in the Linux kernel before 2.6.34 does not properly validate certain values associated with an interface, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via vectors related to a routing change.

Published: 2010-09-08T19:00:00.000Z
Updated: 2024-08-07T02:32:16.772Z

Integer overflow in the ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.33.7 on 32-bit platforms allows local users to cause a denial of service or possibly have unspecified other impact via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value that triggers a buffer overflow, a different vulnerability than CVE-2010-3084.

Published: 2010-09-29T16:00:00.000Z
Updated: 2024-08-07T02:32:16.768Z

Memory leak in pngrutil.c in libpng before 1.2.44, and 1.4.x before 1.4.3, allows remote attackers to cause a denial of service (memory consumption and application crash) via a PNG image containing malformed Physical Scale (aka sCAL) chunks.

Published: 2010-06-30T18:00:00.000Z
Updated: 2024-08-07T02:25:07.563Z

The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file.

Published: 2010-09-03T19:00:00.000Z
Updated: 2024-08-07T02:25:07.361Z

Stack-based buffer overflow in the TIFFFetchSubjectDistance function in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long EXIF SubjectDistance field in a TIFF file.

Published: 2010-06-23T18:00:00.000Z
Updated: 2024-08-07T02:17:14.412Z

The mext_check_arguments function in fs/ext4/move_extent.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a MOVE_EXT ioctl call that specifies this file as a donor.

Published: 2010-09-08T19:00:00.000Z
Updated: 2024-08-07T02:17:14.515Z

Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet.

Published: 2010-06-17T16:00:00.000Z
Updated: 2024-08-07T02:17:13.723Z

The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.

Published: 2010-05-19T18:13:00.000Z
Updated: 2024-08-07T01:21:18.983Z

Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row.

Published: 2010-06-30T18:00:00.000Z
Updated: 2024-08-07T01:14:06.655Z

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability."

Published: 2010-04-01T16:00:00.000Z
Updated: 2025-10-22T00:05:52.754Z

Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.

Published: 2010-04-07T15:00:00.000Z
Updated: 2024-08-07T00:52:19.635Z

The futex_lock_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly manage a certain reference count, which allows local users to cause a denial of service (OOPS) via vectors involving an unmount of an ext3 filesystem.

Published: 2010-02-15T18:00:00.000Z
Updated: 2024-08-07T00:52:19.627Z

drivers/connector/connector.c in the Linux kernel before 2.6.32.8 allows local users to cause a denial of service (memory consumption and system crash) by sending the kernel many NETLINK_CONNECTOR messages.

Published: 2010-02-21T22:00:00.000Z
Updated: 2024-08-07T00:45:12.168Z

OpenOffice.org 2.x and 3.0 before 3.2.1 allows user-assisted remote attackers to bypass Python macro security restrictions and execute arbitrary Python code via a crafted OpenDocument Text (ODT) file that triggers code execution when the macro directory structure is previewed.

Published: 2010-06-10T00:00:00.000Z
Updated: 2024-08-07T00:45:12.198Z

The load_elf_binary function in fs/binfmt_elf.c in the Linux kernel before 2.6.32.8 on the x86_64 platform does not ensure that the ELF interpreter is available before a call to the SET_PERSONALITY macro, which allows local users to cause a denial of service (system crash) via a 32-bit application that attempts to execute a 64-bit application and then triggers a segmentation fault, as demonstrated by amd64_killer, related to the flush_old_exec function.

Published: 2010-02-17T18:00:00.000Z
Updated: 2024-08-07T00:45:12.039Z

Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS before 1.4.4, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553.

Published: 2010-03-05T19:00:00.000Z
Updated: 2024-08-07T00:45:11.943Z

The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack.

Published: 2010-03-03T19:00:00.000Z
Updated: 2024-08-07T00:37:54.124Z

The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the nsBlockFrame::StealFrame function in layout/generic/nsBlockFrame.cpp, and unspecified other vectors.

Published: 2010-02-21T17:00:00.000Z
Updated: 2024-08-07T00:37:53.936Z

OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce Visual Basic for Applications (VBA) macro security settings, which allows remote attackers to run arbitrary macros via a crafted document.

Published: 2010-02-16T19:00:00.000Z
Updated: 2024-08-07T00:37:54.087Z

Race condition in the tty_fasync function in drivers/char/tty_io.c in the Linux kernel before 2.6.32.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via unknown vectors, related to the put_tty_queue and __f_setown functions. NOTE: the vulnerability was addressed in a different way in 2.6.32.9.

Published: 2010-09-08T19:00:00.000Z
Updated: 2024-08-07T07:17:26.064Z

Multiple stack-based buffer overflows in the CertDecoder::GetName function in src/asn.cpp in TaoCrypt in yaSSL before 1.9.9, as used in mysqld in MySQL 5.0.x before 5.0.90, MySQL 5.1.x before 5.1.43, MySQL 5.5.x through 5.5.0-m2, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and daemon crash) by establishing an SSL connection and sending an X.509 client certificate with a crafted name field, as demonstrated by mysql_overflow1.py and the vd_mysql5 module in VulnDisco Pack Professional 8.11. NOTE: this was originally reported for MySQL 5.0.51a.

Published: 2009-12-30T21:00:00.000Z
Updated: 2024-08-07T07:01:20.829Z

Multiple directory traversal vulnerabilities in Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allow remote attackers to overwrite arbitrary files or obtain sensitive information via vectors involving (1) control field names, (2) control field values, and (3) control files of patch systems.

Published: 2010-02-02T16:25:00.000Z
Updated: 2024-09-16T17:24:02.624Z

The poll_mode_io file for the megaraid_sas driver in the Linux kernel 2.6.31.6 and earlier has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file.

Published: 2009-11-16T19:00:00.000Z
Updated: 2024-08-07T06:45:50.560Z

The connector layer in the Linux kernel before 2.6.31.5 does not require the CAP_SYS_ADMIN capability for certain interaction with the (1) uvesafb, (2) pohmelfs, (3) dst, or (4) dm subsystem, which allows local users to bypass intended access restrictions and gain privileges via calls to functions in these subsystems.

Published: 2009-11-06T15:00:00.000Z
Updated: 2024-08-07T06:38:30.225Z

net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket.

Published: 2009-10-22T15:26:00.000Z
Updated: 2024-08-07T06:31:10.537Z

The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls.

Published: 2009-10-22T15:26:00.000Z
Updated: 2024-08-07T06:31:10.635Z

The tcf_fill_node function in net/sched/cls_api.c in the netlink subsystem in the Linux kernel 2.6.x before 2.6.32-rc5, and 2.4.37.6 and earlier, does not initialize a certain tcm__pad2 structure member, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2005-4881.

Published: 2009-10-19T19:27:00.000Z
Updated: 2024-08-07T06:31:10.729Z

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Published: 2009-11-09T17:00:00.000Z
Updated: 2026-05-27T15:38:56.729Z

Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.

Published: 2009-11-20T02:00:00.000Z
Updated: 2024-08-07T06:31:10.475Z

Multiple race conditions in fs/pipe.c in the Linux kernel before 2.6.32-rc6 allow local users to cause a denial of service (NULL pointer dereference and system crash) or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname.

Published: 2009-11-04T15:00:00.000Z
Updated: 2024-08-07T06:31:10.441Z

filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTSetBrc table property modifier in a Word document, related to a "boundary error flaw."

Published: 2010-02-16T19:00:00.000Z
Updated: 2024-08-07T06:22:24.239Z

Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTDefTable table property modifier in a Word document.

Published: 2010-02-16T19:00:00.000Z
Updated: 2024-08-07T06:22:24.255Z

The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."

Published: 2009-09-18T10:00:00.000Z
Updated: 2024-08-07T06:22:24.084Z

pam-auth-update for PAM, as used in Ubuntu 8.10 and 9.4, and Debian GNU/Linux, does not properly handle an "empty selection" for system authentication modules in certain rare configurations, which causes any attempt to be successful and allows remote attackers to bypass authentication.

Published: 2009-09-17T10:00:00.000Z
Updated: 2024-08-07T06:22:23.335Z

The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.

Published: 2009-09-17T10:00:00.000Z
Updated: 2024-08-07T06:22:23.182Z

The tc_fill_tclass function in net/sched/sch_api.c in the tc subsystem in the Linux kernel 2.4.x before 2.4.37.6 and 2.6.x before 2.6.31-rc9 does not initialize certain (1) tcm__pad1 and (2) tcm__pad2 structure members, which might allow local users to obtain sensitive information from kernel memory via unspecified vectors.

Published: 2009-10-19T19:27:00.000Z
Updated: 2024-08-07T06:22:23.283Z

Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.

Published: 2009-11-20T17:00:00.000Z
Updated: 2024-08-07T06:14:55.614Z

The Linux kernel before 2.6.31-rc7 does not initialize certain data structures within getname functions, which allows local users to read the contents of some kernel memory locations by calling getsockname on (1) an AF_APPLETALK socket, related to the atalk_getname function in net/appletalk/ddp.c; (2) an AF_IRDA socket, related to the irda_getname function in net/irda/af_irda.c; (3) an AF_ECONET socket, related to the econet_getname function in net/econet/af_econet.c; (4) an AF_NETROM socket, related to the nr_getname function in net/netrom/af_netrom.c; (5) an AF_ROSE socket, related to the rose_getname function in net/rose/af_rose.c; or (6) a raw CAN socket, related to the raw_getname function in net/can/raw.c.

Published: 2009-08-28T15:00:00.000Z
Updated: 2024-08-07T06:14:55.183Z

The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel 2.6.31-rc7 and earlier does not initialize a certain data structure, which allows local users to read the contents of some kernel memory locations by calling getsockname on an AF_LLC socket.

Published: 2009-08-28T15:00:00.000Z
Updated: 2024-08-07T06:07:37.446Z

Heap-based buffer overflow in the GIFLZWDecompressor::GIFLZWDecompressor function in filter.vcl/lgif/decode.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file, related to LZW decompression.

Published: 2010-02-16T19:00:00.000Z
Updated: 2024-08-07T06:07:37.420Z

Integer overflow in the XPMReader::ReadXPM function in filter.vcl/ixpm/svt_xpmread.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to execute arbitrary code via a crafted XPM file that triggers a heap-based buffer overflow.

Published: 2010-02-16T19:00:00.000Z
Updated: 2024-08-07T06:07:37.394Z

arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x86_64 platform does not clear certain kernel registers before a return to user mode, which allows local users to read register values from an earlier process by switching an ia32 process to 64-bit mode.

Published: 2009-10-20T17:00:00.000Z
Updated: 2024-08-07T06:07:37.244Z

smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet.

Published: 2009-10-07T18:00:00.000Z
Updated: 2024-08-07T06:07:37.199Z

Memory leak in the appletalk subsystem in the Linux kernel 2.4.x through 2.4.37.6 and 2.6.x through 2.6.31, when the appletalk and ipddp modules are loaded but the ipddp"N" device is not found, allows remote attackers to cause a denial of service (memory consumption) via IP-DDP datagrams.

Published: 2009-09-15T22:00:00.000Z
Updated: 2024-08-07T06:07:37.216Z

The execve function in the Linux kernel, possibly 2.6.30-rc6 and earlier, does not properly clear the current->clear_child_tid pointer, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a clone system call with CLONE_CHILD_SETTID or CLONE_CHILD_CLEARTID enabled, which is not properly handled during thread creation and exit.

Published: 2009-08-18T20:41:00.000Z
Updated: 2024-08-07T06:07:37.170Z

The udp_sendmsg function in the UDP implementation in (1) net/ipv4/udp.c and (2) net/ipv6/udp.c in the Linux kernel before 2.6.19 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving the MSG_MORE flag and a UDP socket.

Published: 2009-08-27T17:00:00.000Z
Updated: 2024-08-07T05:59:56.948Z

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Published: 2009-08-06T15:00:00.000Z
Updated: 2024-08-07T05:59:56.314Z

neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Published: 2009-08-21T17:00:00.000Z
Updated: 2024-08-07T05:52:14.820Z

Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted (1) Notation or (2) Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.

Published: 2009-08-11T18:00:00.000Z
Updated: 2025-01-21T15:30:42.200Z

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

Published: 2009-07-30T19:00:00.000Z
Updated: 2024-08-07T05:52:14.734Z

The kvm_arch_vcpu_ioctl_set_sregs function in the KVM in Linux kernel 2.6 before 2.6.30, when running on x86 systems, does not validate the page table root in a KVM_SET_SREGS call, which allows local users to cause a denial of service (crash or hang) via a crafted cr3 value, which triggers a NULL pointer dereference in the gfn_to_rmap function.

Published: 2009-07-01T12:26:00.000Z
Updated: 2024-08-07T05:44:55.594Z

The inode double locking code in fs/ocfs2/file.c in the Linux kernel 2.6.30 before 2.6.30-rc3, 2.6.27 before 2.6.27.24, 2.6.29 before 2.6.29.4, and possibly other versions down to 2.6.19 allows local users to cause a denial of service (prevention of file creation and removal) via a series of splice system calls that trigger a deadlock between the generic_file_splice_write, splice_from_pipe, and ocfs2_file_splice_write functions.

Published: 2009-06-06T18:00:00.000Z
Updated: 2024-08-07T05:36:19.502Z

Off-by-one error in the apr_brigade_vprintf function in Apache APR-util before 1.3.5 on big-endian platforms allows remote attackers to obtain sensitive information or cause a denial of service (application crash) via crafted input.

Published: 2009-06-06T18:00:00.000Z
Updated: 2024-08-07T05:36:19.492Z

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.

Published: 2009-06-06T18:00:00.000Z
Updated: 2024-08-07T05:36:19.503Z

The personality subsystem in the Linux kernel before 2.6.31-rc3 has a PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO flags when executing a setuid or setgid program, which makes it easier for local users to leverage the details of memory usage to (1) conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr protection mechanism, or (3) defeat address space layout randomization (ASLR).

Published: 2009-07-16T15:00:00.000Z
Updated: 2024-08-07T05:27:54.804Z

The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote attackers to cause a denial of service (CPU consumption).

Published: 2009-07-10T15:00:00.000Z
Updated: 2024-08-07T05:27:54.767Z

The stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server before 2.3.3, when a reverse proxy is configured, does not properly handle an amount of streamed data that exceeds the Content-Length value, which allows remote attackers to cause a denial of service (CPU consumption) via crafted requests.

Published: 2009-07-05T16:00:00.000Z
Updated: 2024-08-07T05:27:54.851Z

The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory.

Published: 2009-06-24T22:00:00.000Z
Updated: 2024-08-07T05:27:54.782Z

The decompression implementation in the Imf::hufUncompress function in OpenEXR 1.2.2 and 1.6.1 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger a free of an uninitialized pointer.

Published: 2009-07-31T18:29:00.000Z
Updated: 2024-08-07T05:20:35.076Z

The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."

Published: 2009-06-10T17:37:00.000Z
Updated: 2024-08-07T05:20:35.119Z

Multiple buffer overflows in the cifs subsystem in the Linux kernel before 2.6.29.4 allow remote CIFS servers to cause a denial of service (memory corruption) and possibly have unspecified other impact via (1) a malformed Unicode string, related to Unicode string area alignment in fs/cifs/sess.c; or (2) long Unicode characters, related to fs/cifs/cifssmb.c and the cifs_readdir function in fs/cifs/readdir.c.

Published: 2009-05-28T20:14:00.000Z
Updated: 2024-08-07T05:20:34.936Z

The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.

Published: 2009-05-14T17:00:00.000Z
Updated: 2024-08-07T05:20:34.608Z

The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."

Published: 2009-06-04T16:00:00.000Z
Updated: 2024-08-07T05:13:25.436Z

ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.

Published: 2009-06-04T16:00:00.000Z
Updated: 2024-08-07T05:13:25.487Z

Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."

Published: 2009-05-19T19:00:00.000Z
Updated: 2024-08-07T05:13:25.511Z

The vmx_set_msr function in arch/x86/kvm/vmx.c in the VMX implementation in the KVM subsystem in the Linux kernel before 2.6.29.1 on the i386 platform allows guest OS users to cause a denial of service (OOPS) by setting the EFER_LME (aka "Long mode enable") bit in the Extended Feature Enable Register (EFER) model-specific register, which is specific to the x86_64 platform.

Published: 2009-04-06T14:00:00.000Z
Updated: 2024-08-07T05:04:49.295Z

mod_proxy_ajp.c in the mod_proxy_ajp module in the Apache HTTP Server 2.2.11 allows remote attackers to obtain sensitive response data, intended for a client that sent an earlier POST request with no request body, via an HTTP request.

Published: 2009-04-23T17:00:00.000Z
Updated: 2024-08-07T05:04:49.027Z

nfsd in the Linux kernel before 2.6.28.9 does not drop the CAP_MKNOD capability before handling a user request in a thread, which allows local users to create device nodes, as demonstrated on a filesystem that has been exported with the root_squash option.

Published: 2009-03-25T01:00:00.000Z
Updated: 2024-08-07T04:57:17.810Z

The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 does not properly initialize memory for IPP request packets, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a scheduler request with two consecutive IPP_TAG_UNSUPPORTED tags.

Published: 2009-06-09T17:00:00.000Z
Updated: 2024-08-07T04:57:17.124Z

Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.

Published: 2009-04-17T00:00:00.000Z
Updated: 2024-08-07T04:57:17.538Z

The ACL plugin in Dovecot before 1.1.4 treats negative access rights as if they are positive access rights, which allows attackers to bypass intended access restrictions.

Published: 2008-10-15T20:00:00.000Z
Updated: 2024-08-07T10:24:20.877Z

MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.

Published: 2008-09-17T18:06:00.000Z
Updated: 2024-08-07T10:00:42.841Z

Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.

Published: 2008-09-12T16:00:00.000Z
Updated: 2024-08-07T09:45:18.156Z

Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function.

Published: 2008-05-16T06:54:00.000Z
Updated: 2024-08-07T08:41:00.433Z