Common Vulnerabilities & Exposures

CVEおよび対応表

モンタビスタでは、セキュリティの脅威に対応するためコミュニティおよびマーケットの状況を常時モニターしています。 影響のある製品には、CVEのスコア(NVD:脆弱性情報データベース)に沿って修正対応の優先順位の決定を行っています。以下は対策済および対策中のCVEとなります。

CVEに関するお問い合わせについては、こちらのアドレスまで「英文」にてお知らせください。> security@mvista.com

CVE Filters

CVE List 2003

CVE Score Severity Package Description Published
CVE-2003-0147 5.0 Medium openpkg OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal). March 31, 2003 14:03 pm
CVE-2003-0854 2.1 Low fileutils ls in the fileutils or coreutils packages allows local users to consume a large amount of memory via a large -w value, which can be remotely exploited via applications that use ls, such as wu-ftpd. November 17, 2003 14:11 pm
CVE-2003-0388 4.6 Medium kernel pam_wheel in Linux-PAM 0.78, with the trust option enabled and the use_uid option disabled, allows local users to spoof log entries and gain privileges by causing getlogin() to return a spoofed user name. July 24, 2003 13:07 pm
CVE-2003-0545 10.0 High openssl Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding. November 17, 2003 14:11 pm
CVE-2003-0028 7.5 High glibc Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391. March 25, 2003 14:03 pm
CVE-2003-0131 7.5 High openssl The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack." March 24, 2003 14:03 pm
CVE-2003-0078 5.0 Medium openssl ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack." March 3, 2003 14:03 pm
CVE-2003-1327 9.3 High wu-ftpd Buffer overflow in the SockPrintf function in wu-ftpd 2.6.2 and earlier, when compiled with MAIL_ADMIN option enabled on a system that supports very long pathnames, might allow remote anonymous users to execute arbitrary code by uploading a file with a long pathname, which triggers the overflow when wu-ftpd constructs a notification message to the administrator. December 31, 2003 14:12 pm
CVE-2003-0544 5.0 Medium openssl OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used. November 17, 2003 14:11 pm
CVE-2003-0543 5.0 Medium openssl Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values. November 17, 2003 14:11 pm
CVE-2003-1604 7.8 kernel The redirect_target function in net/ipv4/netfilter/ipt_REDIRECT.c in the Linux kernel before 2.6.0 allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending packets to an interface that has a 0.0.0.0 IP address, a related issue to CVE-2015-8787. May 2, 2016 19:05 pm