Note: After some upstream versioning limbo, this is the official first release
of argus 3.0 considered to be an release-candidate. Bug fixes for this
version will make its way into the upcoming 3.0.1!
Note: After some upstream versioning limbo, this is the official first release
of argus 3.0 considered to be an release-candidate. Bug fixes for this
version will make its way into the upcoming 3.0.1!
CVE-2008-1720 (High) :
Buffer overflow in rsync 2.6.9 to 3.0.1, with extended attribute (xattr) support enabled, might
allow remote attackers to execute arbitrary code via unknown vectors.
CVE-2007-1276 (Medium) :
Multiple cross-site scripting (XSS) vulnerabilities in chooser.cgi in Webmin before 1.330 and
Usermin before 1.260 allow remote attackers to inject arbitrary web script or HTML via a crafted
filename.
CVE-2007-3156 (Medium) :
Multiple cross-site scripting (XSS) vulnerabilities in pam_login.cgi in Webmin before 1.350 and
Usermin before 1.280 allow remote attackers to inject arbitrary web script or HTML via the (1) cid,
(2) message, or (3) question parameter. NOTE: some of these details are obtained from third
party information.
CVE-2007-5066 (High) :
Unspecified vulnerability in Webmin before 1.370 on Windows allows remote authenticated users
to execute arbitrary commands via a crafted URL.
CVE-2008-0720 (Medium) :
Cross-site scripting (XSS) vulnerability in Webmin 1.370 and 1.390 and Usermin 1.300 and 1.320
allows remote attackers to inject arbitrary web script or HTML via the search parameter to
webmin_search.cgi (aka the search section), and possibly other components accessed through
a "search box" or "open file box." NOTE: some of these details are obtained from third party
information.
CVE-2008-0983 (Medium) :
lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a
file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large
number of connections, which triggers an out-of-bounds access.
CVE-2008-1111 (Medium) :
mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a
fork failure occurs, which might allow remote attackers to obtain sensitive information.
CVE-2008-1270 (Medium) :
mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME,
which might allow remote attackers to read arbitrary files, as demonstrated by accessing the
~nobody directory.
Instead of simply copying the 'ip_vs.h' header file we apply a patch that
assures the installation of a 'sanitized' version while building the
linux-header package.
CVE-2007-4091 (Medium) :
Multiple off-by-one errors in the sender.c in rsync 2.6.9 might allow remote attackers to execute
arbitrary code via directory names that are not properly handled when calling the f_name function.
CVE-2007-6199 (High) :
rsync before 3.0.0pre6, when running a writable rsync daemon that is not using chroot, allows
remote attackers to access restricted files via unknown vectors that cause rsync to create a
symlink that points outside of the module's hierarchy.
CVE-2007-6200 (High) :
Unspecified vulnerability in rsync before 3.0.0pre6, when running a writable rsync daemon, allows
remote attackers to bypass exclude, exclude_from, and filter and read or write hidden files via (1)
symlink, (2) partial-dir, (3) backup-dir, and unspecified (4) dest options.
Alejandro Mery
Christian Wiese
Aldas Nabazas