| | | | | | |
. | CVE | Project | Project Description | Vulnerability | Patch URL (if available) | |
. | CVE-2007-4548 | Apache Geronimo 2.0 | A free software application server developed by the Apache Software Foundation and distributed under the Apache license. Current version is 2.0.2 | The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module. | https://issues.apache.org/jira/secure/attachment/12363723/GERONIMO-3404.patch | |
. | CVE-2006-1547 | Apache Struts | Apache Struts is a free open-source framework for creating Java web applications. | ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils. | http://struts.apache.org/1.2.9/userGuide/release-notes.html | |
. | CVE-2006-1953 | Caucho Resin | The ResinĀ® high-performance, open source application server features load balancing for increased reliability. | Directory traversal vulnerability in Caucho Resin 3.0.17 and 3.0.18 for Windows allows remote attackers to read arbitrary files via a "C:%5C" (encoded drive letter) in a URL. | Upgrade to Caucho Resin Server version 3.0.19 :
http://www.caucho.com/download/index.xtp | |
. | CVE-2006-5750 | JBoss Application Server | JBoss Application Server (or JBoss AS) is a free software / open source Java EE-based application server. | Directory traversal vulnerability in the DeploymentFileRepository class in JBoss Application Server (jbossas) 3.2.4 through 4.0.5 allows remote authenticated users to read or modify arbitrary files, and possibly execute arbitrary code, via unspecified vectors related to the console manager. | http://jira.jboss.com/jira/browse/ASPATCH-126 | |
. | CVE-2006-3334 | Libpng | Libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over 12 years. | Buffer overflow in the png_decompress_chunk function in pngrutil.c in libpng before 1.2.12 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors related to "chunk error processing," possibly involving the "chunk_name". | http://sourceforge.net/projects/libpng/ | |
. | CVE-2006-3464 | LibTiff | (Library for reading and writing Tagged Image File Format) (abbreviated TIFF) files. The set also contains command line tools for processing TIFF's. It is distributed in source code and can be found (on the internet) as binary builds for all kinds of platforms. LibTiff is embedded multiple Linux distributions. | TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to pass numeric range checks and possibly execute code, and trigger assert errors, via large offset values in a TIFF directory that lead to an integer overflow and other unspecified vectors involving "unchecked arithmetic operations". | http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz | |
. | CVE-2005-4837 | Net-SNMP | Net-SNMP is a suite of software for using and deploying the SNMP protocol (v1, v2c and v3 and the AgentX subagent protocol). | snmp_api.c in snmpd in Net-SNMP 5.2.x before 5.2.2, 5.1.x before 5.1.3, and 5.0.x before 5.0.10.2, when running in master agentx mode, allows remote attackers to cause a denial of service (crash) by causing a particular TCP disconnect, which triggers a free of an incorrect variable, a different vulnerability than CVE-2005-2177. | http://downloads.sourceforge.net/net-snmp/net-snmp-5.4.1.zip?modtime=1185535864&big_mirror=1 | |
. | CVE-2006-5051 | OpenSSH | OpenSSH is a free version the SSH connectivity tools that encrypt all traffic (and passwords) to eliminate eavesdropping, connection hijacking, etc. | Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. | Upgrade to Globus Toolkit version 4.0.4 or GSI-OpenSSH version 3.9 :
http://grid.ncsa.uiuc.edu/ssh/download.html | |
. | CVE-2006-2937 | OpenSSL | A toolkit implementing SSL v2/v3 and TLS protocols with full-strength cryptography world-wide. | OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition. | http://www.openssl.org/news/secadv_20060928.txt | |
. | CVE-2005-2096 | Zlib | Zlib is a software library used for data compression. zlib was written by Jean-loup Gailly and Mark Adler and is an abstraction of the DEFLATE compression algorithm used in their gzip file compression program. | zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file. | http://www.zlib.net/zlib-1.2.3.tar.gz | |
. | | | | | | |