Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
89
security advisoryRed Hat Linuxbuffer overflowRed Hat Linux 7.3/9 FLSA:1552 Moderate: Cadaver Buffer Overflow Fix
Updated cadaver packages that fix multiple security vulnerability are now available.. ----------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated cadaver resolves security vulnerabilities Advisory ID: FLSA:1552 Issue date: 2004-09-29 Product: Red Hat Linux Keywords: Security Cross references: CVE Names: CAN-2004-0179, CAN-2004-0398 ----------------------------------------------------------------------- ----------------------------------------------------------------------- 1. Topic: Updated cadaver packages that fix multiple security vulnerability are now available. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 3. Problem description: An updated cadaver package that fixes a vulnerability in neon exploitable by a malicious DAV server is now available. cadaver is a command-line WebDAV client that uses inbuilt code from neon, an HTTP and WebDAV client library. Versions of the neon client library up to and including 0.24.4 have been found to contain a number of format string bugs. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using cadaver. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0179 to this issue. This issue was addressed in a previous update for Red Hat Linux 9. Stefan Esser discovered a flaw in the neon library which allows a heap buffer overflow in a date parsing routine. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using cadaver. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0398 to this issue. Users of cadaver are advised to upgrade to this updated package, which contains patches correcting these issues. 4. Solution: Beforeapplying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit .org/docs/ for directions on how to configure yum and apt-get. 5. Bug IDs fixed: - 1552 - cadaver neon vulnerability (CAN-2004-0179) 6. RPMs required: Red Hat Linux 7.3: SRPM: i386: Red Hat Linux 9: SRPM: i386: 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------------- 46931edc0f4e8ad25c994891938c103a45f28982 7.3/updates/SRPMS/cadaver-0.22.1-1.legacy.src.rpm 0c3742f3151d4dedc5e5320a3a4792f17e8bd2e4 7.3/updates/i386/cadaver-0.22.1-1.legacy.i386.rpm 6cc852676c85e9cc3dc8e472676185cdffabf09f 9/updates/SRPMS/cadaver-0.22.1-3.legacy.src.rpm 1a9d4e010885e902b2a6a994cfee5744b7f4afba 9/updates/i386/cadaver-0.22.1-3.legacy.i386.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: 9.Contact: The Fedora Legacy security contact is . More project details at .org --------------------------------------------------------------------- . Revised cadaver software bundles released for immediate retrieval, addressing several security flaws within Red Hat Linux systems.. Cadaver Vulnerabilities, Red Hat Linux Updates, Buffer Overflow Fixes. . LinuxSecurity.com Team
Sep 30, 2004
Fedora
91
security advisorygentoobuffer overflowGentoo: 200405-15 Normal: Cadaver Heap-Based Buffer Overflow Exploit Risk
There is a heap-based buffer overflow vulnerability in the neon library used in cadaver, possibly leading to execution of arbitrary code when connected to a malicious server. [More...]. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200405-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: cadaver heap-based buffer overflow Date: May 20, 2004 Bugs: #51461 ID: 200405-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= There is a heap-based buffer overflow vulnerability in the neon library used in cadaver, possibly leading to execution of arbitrary code when connected to a malicious server. Background ========= cadaver is a command-line WebDAV client. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/cadaver = 0.22.2 Description ========== Stefan Esser discovered a vulnerability in the code of the neon library (see GLSA 200405-13). This library is also included in cadaver. Impact ===== When connected to a malicious WebDAV server, this vulnerability could allow remote execution of arbitrary code with the rights of the user running cadaver. Workaround ========= There is no known workaround at this time. All users are advised to upgrade to the latest available version of cadaver. Resolution ========= All users of cadaver should upgrade to the latest stable version: # emerge sync # emerge -pv "> =net-misc/cadaver-0.22.2" # emerge "> =net-misc/cadaver-0.22.2" References ========= [ 1 ] CAN-2004-0398 https://www.cve.org/CVERecord?id=CAN-2004-0398 [ 2 ] GLSA 200405-13 https://security.gentoo.org/glsa/200405-13 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/200405-15 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to
May 20, 2004
Gentoo
87
security advisoryremote exploitcriticalDebian DSA 507-1 Critical: Cadaver Heap Overflow Remote Exploit
User input is copied into variables not large enough for all cases. This can lead to an overflow of a static heap variable.. Debian Security Advisory DSA 507-1
May 19, 2004
•Critical
Debian
98
security advisoryRed HatcriticalRed Hat Enterprise Linux: RHSA-2004:191-01 Critical: Cadaver Heap Overflow
An updated cadaver package is now available that fixes a vulnerability in neon which could be exploitable by a malicious DAV server.. Red Hat Security Advisory Synopsis: Updated cadaver package fixes security vulnerability in neon Advisory ID: RHSA-2004:191-01 Issue date: 2004-05-19 Updated on: 2004-05-19 Product: Red Hat Enterprise Linux Keywords: cadaver neon sscanf Cross references: Obsoletes: CVE Names: CAN-2004-0398 - --------------------------------------------------------------------- 1. Topic: An updated cadaver package is now available that fixes a vulnerability in neon which could be exploitable by a malicious DAV server. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 3. Problem description: cadaver is a command-line WebDAV client that uses inbuilt code from neon, an HTTP and WebDAV client library. Stefan Esser discovered a flaw in the neon library which allows a heap buffer overflow in a date parsing routine. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using cadaver. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0398 to this issue. Users of cadaver are advised to upgrade to this updated package, which contains a patch correcting this issue. This issue does not affect Red Hat Enterprise Linux 3. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included inthe list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://access.redhat.com 5. Bug IDs fixed ( for more info): 122497 - CAN-2004-0398 heap overflow in neon affects cadaver 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: i386: Available from Red Hat Network: cadaver-0.22.1-1.0.i386.rpm ia64: Available from Red Hat Network: cadaver-0.22.1-1.0.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ia64: Available from Red Hat Network: cadaver-0.22.1-1.0.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: i386: Available from Red Hat Network: cadaver-0.22.1-1.0.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: i386: Available from Red Hat Network: cadaver-0.22.1-1.0.i386.rpm 7. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- 74352b500efc9fe95b932db561a97301 cadaver-0.22.1-1.0.i386.rpm 504c70514d6fe70edd342fe05809f059 cadaver-0.22.1-1.0.ia64.rpm f61038fc22fd38899ee8366ed77c99a6 cadaver-0.22.1-1.0.src.rpm These packages are GPG signed by Red Hat for security. Our key is available from You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with,examine only the md5sum with the following command: md5sum 8. References: CVE -CVE-2004-0398 9. Contact: The Red Hat security contact is . More contact details at Copyright 2004 Red Hat, Inc. . The updated mortuary chamber addresses a significant stack overflow flaw in the luminescence module, potentially allowing for unapproved program execution.. cadaver Security Advisory, Red Hat Patch, Heap Overflow Fix, WebDAV Exploit. . Severity: Critical. LinuxSecurity.com Team
May 19, 2004
•Critical
Red Hat
91
security advisorygentoocode executionGentoo GLSA-200404-14 Normal: Cadaver Format String Code Execution
There are multiple format string vulnerabilities in the neon library used in cadaver, possibly leading to execution of arbitrary code when connected to a malicious server. [More...]. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200404-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Multiple format string vulnerabilities in cadaver Date: April 19, 2004 Bugs: #47799 ID: 200404-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= There are multiple format string vulnerabilities in the neon library used in cadaver, possibly leading to execution of arbitrary code when connected to a malicious server. Background ========= According to http://www.webdav.org/cadaver/ cadaver is a command-line WebDAV client for Unix. It supports file upload, download, on-screen display, namespace operations (move/copy), collection creation and deletion, and locking operations. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- net-misc/cadaver < 0.22.1 > = 0.22.1 Description ========== Cadaver code includes the neon library, which in versions 0.24.4 and previous is vulnerable to multiple format string attacks. The latest version of cadaver uses version 0.24.5 of the neon library, which makes it immune to this vulnerability. Impact ===== When using cadaver to connect to an untrusted WebDAV server, this vulnerability can allow a malicious remote server to execute arbitrary code on the client with the rights of the user usingcadaver. Workaround ========= A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package. Resolution ========= cadaver users should upgrade to version 0.22.1 or later: # emerge sync # emerge -pv "> =net-misc/cadaver-0.22.1" # emerge "> =net-misc/cadaver-0.22.1" References ========= [ 1 ] https://www.cve.org/CVERecord?id=CAN-2004-0179 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/200404-14 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to
Apr 19, 2004
Gentoo
98
security advisoryRed HatcriticalRed Hat: RHSA-2004:158-01 Critical: Cadaver Exploit for WebDAV Client
An updated cadaver package that fixes a vulnerability in neon exploitable by a malicious DAV server is now available.. Red Hat Security Advisory Synopsis: Updated cadaver package fixes security vulnerability in neon Advisory ID: RHSA-2004:158-01 Issue date: 2004-04-14 Updated on: 2004-04-14 Product: Red Hat Linux Keywords: Cross references: Obsoletes: CVE Names: CAN-2004-0179 - --------------------------------------------------------------------- 1. Topic: An updated cadaver package that fixes a vulnerability in neon exploitable by a malicious DAV server is now available. 2. Relevant releases/architectures: Red Hat Linux 9 - i386 3. Problem description: cadaver is a command-line WebDAV client that uses inbuilt code from neon, an HTTP and WebDAV client library. Versions of the neon client library up to and including 0.24.4 have been found to contain a number of format string bugs. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using cadaver. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0179 to this issue. Users of cadaver are advised to upgrade to this updated package, which contains a patch correcting this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch theRed Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://access.redhat.com 5. RPMs required: Red Hat Linux 9: SRPMS: i386: 6. Verification: MD5 sum Package Name - -------------------------------------------------------------------------- 517f4e41e80560cf0c40e12112cfd748 9/en/os/SRPMS/cadaver-0.22.0-2.2.src.rpm 53a4af284026d42b837f704fe6568ce8 9/en/os/i386/cadaver-0.22.0-2.2.i386.rpm These packages are GPG signed by Red Hat for security. Our key is available from You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum 7. References: CVE -CVE-2004-0179 8. Contact: The Red Hat security contact is . More contact details at Copyright 2004 Red Hat, Inc. . The recent cadaver enhancement tackles a security flaw in neon, rendering it vulnerable to threats posed by malicious WebDAV servers.. cadaver Exploit, Red Hat Security, WebDAV Client, Neon Vulnerability, Security Patch. . Severity: Critical. LinuxSecurity.com Team
Apr 14, 2004
•Critical
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!