Sun Solaris vulnerabilities

CVE-2007-1681 [HIGH] CVE-2007-1681: Format string vulnerability in libwebconsole_services.so in Sun Java Web Console 2.2.2 through 2.2.5 Format string vulnerability in libwebconsole_services.so in Sun Java Web Console 2.2.2 through 2.2.5 allows remote attackers to cause a denial of service (application crash), obtain sensitive information, and possibly execute arbitrary code via unspecified vectors during a failed login attempt, related to syslog.

CVE-2006-7140 [MEDIUM] CVE-2006-7140: The libike library, as used by in.iked, elfsign, and kcfd in Sun Solaris 9 and 10, when using an RSA The libike library, as used by in.iked, elfsign, and kcfd in Sun Solaris 9 and 10, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents libike from correctly verifying X.509 and other certificates that use PKCS #1, a s

CVE-2006-7028 [HIGH] CVE-2006-7028: Single CPU Sun systems running Solaris 7, 8, or 9, such as Netra, allows remote attackers to cause a Single CPU Sun systems running Solaris 7, 8, or 9, such as Netra, allows remote attackers to cause a denial of service (console hang) via a flood of small TCP/IP packets. NOTE: this issue has not been replicated by third parties. In addition, the cause is unknown, although it might be related to "jabber" and generation of a large amount of interrupts within the

CVE-2007-0914 [HIGH] CVE-2007-0914: Race condition in the TCP subsystem for Solaris 10 allows remote attackers to cause a denial of serv Race condition in the TCP subsystem for Solaris 10 allows remote attackers to cause a denial of service (system panic) via unknown vectors.

CVE-2007-0895 [LOW] CVE-2007-0895: Race condition in recursive directory deletion with the (1) -r or (2) -R option in rm in Solaris 8 t Race condition in recursive directory deletion with the (1) -r or (2) -R option in rm in Solaris 8 through 10 before 20070208 allows local users to delete files and directories as the user running rm by moving a low-level directory to a higher level as it is being deleted, which causes rm to chdir to a ".." directory that is higher than expected, possibly up to

CVE-2007-0668 [MEDIUM] CVE-2007-0668: The Loopback Filesystem (LOFS) in Sun Solaris 10 allows local users in a non-global zone to move and The Loopback Filesystem (LOFS) in Sun Solaris 10 allows local users in a non-global zone to move and rename files in a read-only filesystem, which could lead to a denial of service.

CVE-2007-0634 [HIGH] CVE-2007-0634: Unspecified vulnerability in Sun Solaris 10 before 20070130 allows remote attackers to cause a denia Unspecified vulnerability in Sun Solaris 10 before 20070130 allows remote attackers to cause a denial of service (system crash) via certain ICMP packets.

CVE-2007-0503 [MEDIUM] CVE-2007-0503: Unspecified vulnerability in kcms_calibrate in Sun Solaris 8 and 9 before 20071122 allows local user Unspecified vulnerability in kcms_calibrate in Sun Solaris 8 and 9 before 20071122 allows local users to execute arbitrary commands via unknown vectors.

CVE-2007-0470 [HIGH] CVE-2007-0470: Multiple unspecified vulnerabilities in tip in Sun Solaris 8, 9, and 10 allow local users to gain uu Multiple unspecified vulnerabilities in tip in Sun Solaris 8, 9, and 10 allow local users to gain uucp account privileges via unspecified vectors.

CVE-2007-0393 [MEDIUM] CVE-2007-0393: Sun Solaris 9 does not properly verify the status of file descriptors before setuid execution, which Sun Solaris 9 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.

CVE-2007-0165 [HIGH] CVE-2007-0165: Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remote attackers to cause a denial Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (crash) via malformed RPC requests that trigger a crash in rpcbind.

CVE-2006-6494 [MEDIUM] CVE-2006-6494: Directory traversal vulnerability in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execu Directory traversal vulnerability in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via a .. (dot dot) sequence in the LANG environment variable that points to a locale file containing attacker-controlled format string specifiers.

CVE-2006-6495 [MEDIUM] CVE-2006-6495: Stack-based buffer overflow in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arb Stack-based buffer overflow in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via large precision padding values in a format string specifier in the format parameter of the doprf function. NOTE: this issue normally does not cross privilege boundaries, except in cases of external introduction of malicious message files, or if

CVE-2006-6275 [MEDIUM] CWE-362 CVE-2006-6275: Race condition in the kernel in Sun Solaris 8 through 10 allows local users to cause a denial of ser Race condition in the kernel in Sun Solaris 8 through 10 allows local users to cause a denial of service (panic) via unspecified vectors, possibly related to the exitlwps function and SIGKILL and /proc PCAGENT signals.

CVE-2006-5726 [MEDIUM] CVE-2006-5726: alloccgblk in the UFS filesystem in Solaris 10 allows local users to cause a denial of service (memo alloccgblk in the UFS filesystem in Solaris 10 allows local users to cause a denial of service (memory corruption) by mounting crafted UFS filesystems with malformed data structures.

CVE-2006-5396 [MEDIUM] CVE-2006-5396: The tcp_fuse_rcv_drain function in the Sun Solaris 10 kernel before 20061017, when TCP Fusion is ena The tcp_fuse_rcv_drain function in the Sun Solaris 10 kernel before 20061017, when TCP Fusion is enabled, allows local users to cause a denial of service (system crash) via a TCP loopback connection with both endpoints on the same system.

CVE-2006-4842 [LOW] CWE-20 CVE-2006-4842: The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-spe The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files.

CVE-2006-5201 [MEDIUM] CVE-2006-5201: Multiple packages on Sun Solaris, including (1) NSS; (2) Java JDK and JRE 5.0 Update 8 and earlier, Multiple packages on Sun Solaris, including (1) NSS; (2) Java JDK and JRE 5.0 Update 8 and earlier, SDK and JRE 1.4.x up to 1.4.2_12, and SDK and JRE 1.3.x up to 1.3.1_19; (3) JSSE 1.0.3_03 and earlier; (4) IPSec/IKE; (5) Secure Global Desktop; and (6) StarOffice, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which all

CVE-2006-5214 [LOW] CVE-2006-5214: Race condition in the Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, Race condition in the Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060225, and Solaris 8 through 10 before 20061006, causes a user's Xsession errors file to have weak permissions before a chmod is performed, which allows local users to read Xsession errors files of other users.

CVE-2006-5213 [LOW] CVE-2006-5213: Sun Solaris 10 before 20061006 uses "incorrect and insufficient permission checks" that allow local Sun Solaris 10 before 20061006 uses "incorrect and insufficient permission checks" that allow local users to intercept or spoof packets by creating a raw socket on a link aggregation (network device aggregation).