Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2002-0059 (GCVE-0-2002-0059)
Vulnerability from cvelistv5
Published
2002-06-25 04:00
Modified
2024-08-08 02:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-08T02:35:17.400Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "CA-2002-07",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "http://www.cert.org/advisories/CA-2002-07.html"
},
{
"name": "MDKSA-2002:022",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:022"
},
{
"name": "4267",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/4267"
},
{
"name": "zlib-doublefree-memory-corruption(8427)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/8427"
},
{
"name": "HPSBTL0204-030",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-030"
},
{
"name": "CLA-2002:469",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA",
"x_transferred"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000469"
},
{
"name": "MDKSA-2002:023",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php"
},
{
"name": "DSA-122",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2002/dsa-122"
},
{
"name": "CSSA-2002-015.1",
"tags": [
"vendor-advisory",
"x_refsource_CALDERA",
"x_transferred"
],
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-015.1.txt"
},
{
"name": "MDKSA-2002:024",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE",
"x_transferred"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3"
},
{
"name": "VU#368819",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/368819"
},
{
"name": "RHSA-2002:027",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2002-027.html"
},
{
"name": "CSSA-2002-014.1",
"tags": [
"vendor-advisory",
"x_refsource_CALDERA",
"x_transferred"
],
"url": "http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt"
},
{
"name": "HPSBTL0204-036",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-036"
},
{
"name": "RHSA-2002:026",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://www.redhat.com/support/errata/RHSA-2002-026.html"
},
{
"name": "HPSBTL0204-037",
"tags": [
"vendor-advisory",
"x_refsource_HP",
"x_transferred"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-037"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2002-03-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2002-06-16T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "CA-2002-07",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "http://www.cert.org/advisories/CA-2002-07.html"
},
{
"name": "MDKSA-2002:022",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:022"
},
{
"name": "4267",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/4267"
},
{
"name": "zlib-doublefree-memory-corruption(8427)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/8427"
},
{
"name": "HPSBTL0204-030",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-030"
},
{
"name": "CLA-2002:469",
"tags": [
"vendor-advisory",
"x_refsource_CONECTIVA"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000469"
},
{
"name": "MDKSA-2002:023",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php"
},
{
"name": "DSA-122",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2002/dsa-122"
},
{
"name": "CSSA-2002-015.1",
"tags": [
"vendor-advisory",
"x_refsource_CALDERA"
],
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-015.1.txt"
},
{
"name": "MDKSA-2002:024",
"tags": [
"vendor-advisory",
"x_refsource_MANDRAKE"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3"
},
{
"name": "VU#368819",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/368819"
},
{
"name": "RHSA-2002:027",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2002-027.html"
},
{
"name": "CSSA-2002-014.1",
"tags": [
"vendor-advisory",
"x_refsource_CALDERA"
],
"url": "http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt"
},
{
"name": "HPSBTL0204-036",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-036"
},
{
"name": "RHSA-2002:026",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://www.redhat.com/support/errata/RHSA-2002-026.html"
},
{
"name": "HPSBTL0204-037",
"tags": [
"vendor-advisory",
"x_refsource_HP"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-037"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2002-0059",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "CA-2002-07",
"refsource": "CERT",
"url": "http://www.cert.org/advisories/CA-2002-07.html"
},
{
"name": "MDKSA-2002:022",
"refsource": "MANDRAKE",
"url": "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:022"
},
{
"name": "4267",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/4267"
},
{
"name": "zlib-doublefree-memory-corruption(8427)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/8427"
},
{
"name": "HPSBTL0204-030",
"refsource": "HP",
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-030"
},
{
"name": "CLA-2002:469",
"refsource": "CONECTIVA",
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000469"
},
{
"name": "MDKSA-2002:023",
"refsource": "MANDRAKE",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php"
},
{
"name": "DSA-122",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2002/dsa-122"
},
{
"name": "CSSA-2002-015.1",
"refsource": "CALDERA",
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-015.1.txt"
},
{
"name": "MDKSA-2002:024",
"refsource": "MANDRAKE",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3"
},
{
"name": "VU#368819",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/368819"
},
{
"name": "RHSA-2002:027",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2002-027.html"
},
{
"name": "CSSA-2002-014.1",
"refsource": "CALDERA",
"url": "http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt"
},
{
"name": "HPSBTL0204-036",
"refsource": "HP",
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-036"
},
{
"name": "RHSA-2002:026",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2002-026.html"
},
{
"name": "HPSBTL0204-037",
"refsource": "HP",
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-037"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2002-0059",
"datePublished": "2002-06-25T04:00:00",
"dateReserved": "2002-02-07T00:00:00",
"dateUpdated": "2024-08-08T02:35:17.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2002-0059\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2002-03-15T05:00:00.000\",\"lastModified\":\"2025-04-03T01:03:51.193\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \\\"double free\\\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.\"},{\"lang\":\"es\",\"value\":\"El algoritmo de descompresi\u00f3n en la librer\u00eda zlib 1.1.3 y anteriores, usada en muchas utilidades y paquetes, obliga a que la funci\u00f3n \\\"inflateEnd\\\" libere cierta memoria m\u00e1s de una vez (hacer un \\\"free\\\" dos veces), lo cual permite que atacantes remotos y locales ejecuten c\u00f3digo arbitrario a trav\u00e9s de bloques deformados de datos comprimidos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":true,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-415\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.1.3\",\"matchCriteriaId\":\"312997A2-05E3-4B6E-B5B9-5058314FC4DC\"}]}]}],\"references\":[{\"url\":\"ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-015.1.txt\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000469\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:022\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.cert.org/advisories/CA-2002-07.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.debian.org/security/2002/dsa-122\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.kb.cert.org/vuls/id/368819\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2002-026.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2002-027.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/4267\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-030\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-036\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-037\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/8427\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-015.1.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000469\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:022\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.cert.org/advisories/CA-2002-07.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.debian.org/security/2002/dsa-122\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.kb.cert.org/vuls/id/368819\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2002-026.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2002-027.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/4267\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-030\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-036\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-037\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/8427\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]}]}}"
}
}
rhsa-2002:026
Vulnerability from csaf_redhat
Published
2002-03-11 20:15
Modified
2025-10-09 12:31
Summary
Red Hat Security Advisory: : : : Vulnerability in zlib library
Notes
Topic
[Update 20 Mar 2002:
Added kernel packages for Red Hat Linux 6.2 on sparc64. Updated VNC
packages as the previous fix caused another denial of service
vulnerability; thanks to Const Kaplinsky for reporting this]
[Update 14 Mar 2002:
Updated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing
the zlib fix; added missing kernel-headers package for 6.2.]
The zlib library provides in-memory compression/decompression
functions. The library is widely used throughout Linux and other
operating
systems.
While performing tests on the gdk-pixbuf library, Matthias Clasen created
an invalid PNG image that caused libpng to crash. Upon further
investigation, this turned out to be a bug in zlib 1.1.3 where certain
types of input will cause zlib to free the same area of memory twice
(called a "double free").
This bug can be used to crash any program that takes untrusted
compressed input. Web browsers or email programs that
display image attachments or other programs that uncompress data are
particularly affected. This vulnerability makes it easy to perform
various
denial-of-service attacks against such programs.
It is also possible that an attacker could manage a more significant
exploit, since the result of a double free is the corruption of the
malloc() implementation's data structures. This could include running
arbitrary code on local or remote systems.
Most packages in Red Hat Linux use the shared zlib library and can be
protected against vulnerability by updating to the errata zlib
package. However, we have identified a number of packages in Red Hat
Linux that either statically link to zlib or contain an internal
version of zlib code.
Although no exploits for this issue or these packages are currently
known to exist, this is a serious vulnerability which could be
locally or remotely exploited. All users should upgrade affected packages
immediately.
Additionally, if you have any programs that you have compiled yourself,
you should check to see if they use zlib. If they link to the shared
zlib library then they will not be vulnerable once the shared zlib
library is updated to the errata package. However, if any programs that
decompress arbitrary data statically link to zlib or use their own
version
of the zlib code internally, then they need to be patched or
recompiled.
Details
The following details apply to the main Red Hat Linux distribution
only. Please see advisory RHSA-2002:027 for Powertools packages.
cvs: cvs is a version control system. The cvs package has been rebuilt to
link against the shared system zlib instead of the internal version.
Additionally, cvs has been updated to version 1.11.1p1 for Red Hat Linux
6.2, 7.0 and 7.1 which also corrects a possible security vulnerability due
to an improperly initialized global variable. (CAN-2002-0092)
dump: The dump package contains programs for backing up and restoring
filesystems. It links statically to zlib and has been rebuilt
against the errata zlib package. Red Hat Linux 7, 7.1, and 7.2
packages have also been upgraded to dump-0.4b25, which includes
many non-security fixes.
gcc3: The gcc3 package contains the GNU Compiler Collection version
3.0. It has been updated to version 3.0.4 and patched to link against
the system zlib instead of the internal version.
libgcj: The libgcj package includes the Java runtime library, which is
needed to run Java programs compiled using the gcc Java compiler
(gcj). libgcj has been patched to use the shared system zlib.
kernel: The Linux kernel internally contains several variants of zlib
code. However, ppp compression is the only implementation that is used with
untrusted data streams. This issue has been patched. New kernel errata
packages are included for Red Hat Linux 6.2 and 7.
Users of Red Hat Linux 7.1, or 7.2 should update to the currently
released kernel errata RHSA-2002-028 (2.4.9-31) which already contains this
fix.
Netscape Navigator: Users are advised to obtain an update from Netscape.
rsync: rsync is a program for synchronizing files over a network.
rsync uses a modified version of zlib internally. These errata
packages patch this internal version of zlib.
The rsync update package also fixes another security issue where rsync did
not call setgroups() before dropping the privileges of the connecting user.
Hence, it is possible for users to retain the group IDs of any supplemental
groups that rsync was started in (for example, supplementary groups of the
root user), allowing users to access files they may not otherwise be able
to access. Thanks to Martin Pool and Andrew Tridgell for alerting us to
this issue. CAN-2002-0080.
VNC: VNC is a remote display system in Powertools 6.2. VNC has been
patched to use the system zlib library.
In addition, there is a small HTTP server implementation in the VNC server
which can be made to wait indefinitely for input, thereby freezing an
active VNC session. The VNC packages recommended by this advisory have
been patched to fix this issue. Users of VNC should be aware that the
program is designed for use on a trusted network.
zlib: The zlib library has been updated with a patch to fix the
aforementioned vulnerability.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "[Update 20 Mar 2002:\nAdded kernel packages for Red Hat Linux 6.2 on sparc64. Updated VNC\npackages as the previous fix caused another denial of service\nvulnerability; thanks to Const Kaplinsky for reporting this]\n\n[Update 14 Mar 2002: \nUpdated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing \nthe zlib fix; added missing kernel-headers package for 6.2.]\n \nThe zlib library provides in-memory compression/decompression \nfunctions. The library is widely used throughout Linux and other \noperating \nsystems. \n \nWhile performing tests on the gdk-pixbuf library, Matthias Clasen created \nan invalid PNG image that caused libpng to crash. Upon further \ninvestigation, this turned out to be a bug in zlib 1.1.3 where certain \ntypes of input will cause zlib to free the same area of memory twice \n(called a \"double free\"). \n \nThis bug can be used to crash any program that takes untrusted \ncompressed input. Web browsers or email programs that \ndisplay image attachments or other programs that uncompress data are \nparticularly affected. This vulnerability makes it easy to perform \nvarious \ndenial-of-service attacks against such programs. \n \nIt is also possible that an attacker could manage a more significant \nexploit, since the result of a double free is the corruption of the \nmalloc() implementation\u0027s data structures. This could include running \narbitrary code on local or remote systems. \n \nMost packages in Red Hat Linux use the shared zlib library and can be \nprotected against vulnerability by updating to the errata zlib \npackage. However, we have identified a number of packages in Red Hat \nLinux that either statically link to zlib or contain an internal \nversion of zlib code. \n \nAlthough no exploits for this issue or these packages are currently \nknown to exist, this is a serious vulnerability which could be \nlocally or remotely exploited. All users should upgrade affected packages \nimmediately. \n \nAdditionally, if you have any programs that you have compiled yourself, \nyou should check to see if they use zlib. If they link to the shared \nzlib library then they will not be vulnerable once the shared zlib \nlibrary is updated to the errata package. However, if any programs that \ndecompress arbitrary data statically link to zlib or use their own \nversion \nof the zlib code internally, then they need to be patched or \nrecompiled.",
"title": "Topic"
},
{
"category": "general",
"text": "The following details apply to the main Red Hat Linux distribution\nonly. Please see advisory RHSA-2002:027 for Powertools packages.\n\ncvs: cvs is a version control system. The cvs package has been rebuilt to\nlink against the shared system zlib instead of the internal version. \n\nAdditionally, cvs has been updated to version 1.11.1p1 for Red Hat Linux\n6.2, 7.0 and 7.1 which also corrects a possible security vulnerability due\nto an improperly initialized global variable. (CAN-2002-0092)\n\ndump: The dump package contains programs for backing up and restoring\nfilesystems. It links statically to zlib and has been rebuilt\nagainst the errata zlib package. Red Hat Linux 7, 7.1, and 7.2\npackages have also been upgraded to dump-0.4b25, which includes\nmany non-security fixes.\n\ngcc3: The gcc3 package contains the GNU Compiler Collection version\n3.0. It has been updated to version 3.0.4 and patched to link against\nthe system zlib instead of the internal version.\n\nlibgcj: The libgcj package includes the Java runtime library, which is\nneeded to run Java programs compiled using the gcc Java compiler\n(gcj). libgcj has been patched to use the shared system zlib.\n\nkernel: The Linux kernel internally contains several variants of zlib \ncode. However, ppp compression is the only implementation that is used with\nuntrusted data streams. This issue has been patched. New kernel errata\npackages are included for Red Hat Linux 6.2 and 7. \n\nUsers of Red Hat Linux 7.1, or 7.2 should update to the currently\nreleased kernel errata RHSA-2002-028 (2.4.9-31) which already contains this\nfix.\n\nNetscape Navigator: Users are advised to obtain an update from Netscape.\n\nrsync: rsync is a program for synchronizing files over a network.\nrsync uses a modified version of zlib internally. These errata\npackages patch this internal version of zlib.\n\nThe rsync update package also fixes another security issue where rsync did\nnot call setgroups() before dropping the privileges of the connecting user.\nHence, it is possible for users to retain the group IDs of any supplemental\ngroups that rsync was started in (for example, supplementary groups of the\nroot user), allowing users to access files they may not otherwise be able\nto access. Thanks to Martin Pool and Andrew Tridgell for alerting us to\nthis issue. CAN-2002-0080.\n\nVNC: VNC is a remote display system in Powertools 6.2. VNC has been\npatched to use the system zlib library. \n\nIn addition, there is a small HTTP server implementation in the VNC server\nwhich can be made to wait indefinitely for input, thereby freezing an\nactive VNC session. The VNC packages recommended by this advisory have\nbeen patched to fix this issue. Users of VNC should be aware that the\nprogram is designed for use on a trusted network.\n\nzlib: The zlib library has been updated with a patch to fix the\naforementioned vulnerability.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2002:026",
"url": "https://access.redhat.com/errata/RHSA-2002:026"
},
{
"category": "external",
"summary": "http://bugzilla.gnome.org/show_bug.cgi?id=70594",
"url": "http://bugzilla.gnome.org/show_bug.cgi?id=70594"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_026.json"
}
],
"title": "Red Hat Security Advisory: : : : Vulnerability in zlib library",
"tracking": {
"current_release_date": "2025-10-09T12:31:09+00:00",
"generator": {
"date": "2025-10-09T12:31:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2002:026",
"initial_release_date": "2002-03-11T20:15:00+00:00",
"revision_history": [
{
"date": "2002-03-11T20:15:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2002-03-11T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-09T12:31:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 6.2",
"product": {
"name": "Red Hat Linux 6.2",
"product_id": "Red Hat Linux 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:6.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.0",
"product": {
"name": "Red Hat Linux 7.0",
"product_id": "Red Hat Linux 7.0",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.2",
"product": {
"name": "Red Hat Linux 7.2",
"product_id": "Red Hat Linux 7.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0059",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2002-03-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616731"
}
],
"notes": [
{
"category": "description",
"text": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zlib: Double free in inflateEnd",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0059"
},
{
"category": "external",
"summary": "RHBZ#1616731",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616731"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0059"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059"
}
],
"release_date": "2002-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-03-11T20:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nThe procedure for upgrading the kernel is documented at:\n\n http://www.redhat.com/support/docs/howto/kernel-upgrade/\n\nPlease read the directions for your architecture carefully before\nproceeding with the kernel upgrade.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:026"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zlib: Double free in inflateEnd"
},
{
"cve": "CVE-2002-0080",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616738"
}
],
"notes": [
{
"category": "description",
"text": "rsync, when running in daemon mode, does not properly call setgroups before dropping privileges, which could provide supplemental group privileges to local users, who could then read certain files that would otherwise be disallowed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0080"
},
{
"category": "external",
"summary": "RHBZ#1616738",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616738"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0080",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0080"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0080",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0080"
}
],
"release_date": "2002-03-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-03-11T20:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nThe procedure for upgrading the kernel is documented at:\n\n http://www.redhat.com/support/docs/howto/kernel-upgrade/\n\nPlease read the directions for your architecture carefully before\nproceeding with the kernel upgrade.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:026"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0092",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616742"
}
],
"notes": [
{
"category": "description",
"text": "CVS before 1.10.8 does not properly initialize a global variable, which allows remote attackers to cause a denial of service (server crash) via the diff capability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0092"
},
{
"category": "external",
"summary": "RHBZ#1616742",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616742"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0092",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0092"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0092",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0092"
}
],
"release_date": "2002-02-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-03-11T20:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nThe procedure for upgrading the kernel is documented at:\n\n http://www.redhat.com/support/docs/howto/kernel-upgrade/\n\nPlease read the directions for your architecture carefully before\nproceeding with the kernel upgrade.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:026"
}
],
"title": "security flaw"
}
]
}
rhsa-2002:027
Vulnerability from csaf_redhat
Published
2002-03-11 18:09
Modified
2025-10-09 12:31
Summary
Red Hat Security Advisory: : Vulnerability in zlib library (powertools)
Notes
Topic
[Update 20 Mar 2002:
VNC packages updated to fix another denial of service vulnerability caused
by the previous update. Thanks to Const Kaplinsky for discovering this
issue.]
The zlib compression library provides in-memory compression and
decompression functions. It is widely used throughout Linux
and other operating systems.
While performing tests on the gdk-pixbuf library, Matthias Clasen created
an invalid PNG image that caused libpng to crash. Upon further
investigation, this turned out to be a bug in zlib 1.1.3. Certain
input will cause zlib to free an area of memory twice (also called a
"double free").
This bug can be used to crash any program that takes untrusted compressed
input. Web browsers or email programs that display image attachments or
other programs that uncompress data are particularly affected. This
vulnerability makes it easy to perform various denial-of-service attacks
against such programs.
However, since the result of a double free is the corruption of the
malloc implementation's data structures, it is possible that an attacker
could manage a more significant exploit, such as running arbitrary code on
the affected system.
Details
Most of the packages in Red Hat Linux use the shared zlib library and can
be protected against vulnerability by updating to the errata zlib
package. However, there have been a number of packages identified in Red
Hat Linux that either statically link to zlib or contain an internal
version of zlib code.
Although no exploits for this issue or the affected packages are currently
known to exist, this is a serious vulnerability that could be locally or
remotely exploited. All users should upgrade affected packages
immediately.
Additionally, if you have any programs that you have compiled yourself
you should check to see if they use zlib. If they link to the shared
zlib library then they will not be vulnerable once the shared zlib
library is updated to the errata package. If any programs that decompress
arbitrary data either statically link to zlib or use their own version of
the zlib code internally, then they need to be patched or recompiled.
The following details apply to the Powertools distribution only;
for packages included with the main Red Hat Linux distribution
please see advisory RHSA-2002:026
abiword: Powertools 6.2 shipped with both statically and
dynamically linked versions of AbiWord. The statically linked version
is linked against the vulnerable zlib. It is recommended that users
only use the dynamic version.
acroread: The acroread package in Powertools 7.0 contains Acrobat
Reader, a PDF viewer. This package contains an internal version of
zlib which may be vulnerable. An update is not yet available, so users are
advised to view PDF documents using xpdf or ghostview.
amaya: Amaya is a Web browser/authoring tool. Amaya in Powertools 7.1
has been patched to use the system zlib, libjpeg, and libpng libraries
instead of the internal static versions.
flash: The flash package in Powertools 6.2 and 7.0 contains an
unofficial Shockwave(TM) Flash2/Flash3 plug-in for Netscape which uses
an internal version of zlib. This plug-in conflicts with the official
flash plug-in included in the netscape package and should not be used.
freeamp: Freeamp is an MP3 audio player in Powertools 6.2 and 7.0 which
uses zlib when decompressing themes. Freeamp has been patched
to use the system zlib library instead of the internal version.
qt-embedded: Qt is a GUI toolkit for embedded devices. qt-embedded has
been updated to version 2.3.2 and recompiled against the errata zlib
library.
vnc: VNC is a remote display system in Powertools 6.2. VNC has been
patched to use the system zlib library.
In addition, there is a small HTTP server implementation in the VNC server
which can be made to wait indefinitely for input, thereby freezing an
active VNC session. The VNC packages recommended by this advisory have
been patched to fix this issue, as well. Users of VNC should be aware the
program is designed for use on a trusted network.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "[Update 20 Mar 2002:\nVNC packages updated to fix another denial of service vulnerability caused\nby the previous update. Thanks to Const Kaplinsky for discovering this\nissue.]\n \nThe zlib compression library provides in-memory compression and \ndecompression functions. It is widely used throughout Linux \nand other operating systems. \n \nWhile performing tests on the gdk-pixbuf library, Matthias Clasen created \nan invalid PNG image that caused libpng to crash. Upon further \ninvestigation, this turned out to be a bug in zlib 1.1.3. Certain \ninput will cause zlib to free an area of memory twice (also called a \n\"double free\"). \n \nThis bug can be used to crash any program that takes untrusted compressed \ninput. Web browsers or email programs that display image attachments or \nother programs that uncompress data are particularly affected. This \nvulnerability makes it easy to perform various denial-of-service attacks \nagainst such programs. \n \nHowever, since the result of a double free is the corruption of the \nmalloc implementation\u0027s data structures, it is possible that an attacker\ncould manage a more significant exploit, such as running arbitrary code on\nthe affected system.",
"title": "Topic"
},
{
"category": "general",
"text": "Most of the packages in Red Hat Linux use the shared zlib library and can\nbe protected against vulnerability by updating to the errata zlib\npackage. However, there have been a number of packages identified in Red\nHat Linux that either statically link to zlib or contain an internal\nversion of zlib code.\n\nAlthough no exploits for this issue or the affected packages are currently\nknown to exist, this is a serious vulnerability that could be locally or\nremotely exploited. All users should upgrade affected packages\nimmediately.\n\nAdditionally, if you have any programs that you have compiled yourself\nyou should check to see if they use zlib. If they link to the shared\nzlib library then they will not be vulnerable once the shared zlib\nlibrary is updated to the errata package. If any programs that decompress\narbitrary data either statically link to zlib or use their own version of\nthe zlib code internally, then they need to be patched or recompiled.\n\nThe following details apply to the Powertools distribution only;\nfor packages included with the main Red Hat Linux distribution\nplease see advisory RHSA-2002:026\n\nabiword: Powertools 6.2 shipped with both statically and\ndynamically linked versions of AbiWord. The statically linked version\nis linked against the vulnerable zlib. It is recommended that users\nonly use the dynamic version.\n\nacroread: The acroread package in Powertools 7.0 contains Acrobat\nReader, a PDF viewer. This package contains an internal version of\nzlib which may be vulnerable. An update is not yet available, so users are\nadvised to view PDF documents using xpdf or ghostview.\n\namaya: Amaya is a Web browser/authoring tool. Amaya in Powertools 7.1\nhas been patched to use the system zlib, libjpeg, and libpng libraries\ninstead of the internal static versions.\n\nflash: The flash package in Powertools 6.2 and 7.0 contains an\nunofficial Shockwave(TM) Flash2/Flash3 plug-in for Netscape which uses\nan internal version of zlib. This plug-in conflicts with the official\nflash plug-in included in the netscape package and should not be used.\n\nfreeamp: Freeamp is an MP3 audio player in Powertools 6.2 and 7.0 which\nuses zlib when decompressing themes. Freeamp has been patched\nto use the system zlib library instead of the internal version.\n\nqt-embedded: Qt is a GUI toolkit for embedded devices. qt-embedded has\nbeen updated to version 2.3.2 and recompiled against the errata zlib\nlibrary.\n\nvnc: VNC is a remote display system in Powertools 6.2. VNC has been\npatched to use the system zlib library. \n\nIn addition, there is a small HTTP server implementation in the VNC server\nwhich can be made to wait indefinitely for input, thereby freezing an\nactive VNC session. The VNC packages recommended by this advisory have\nbeen patched to fix this issue, as well. Users of VNC should be aware the\nprogram is designed for use on a trusted network.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2002:027",
"url": "https://access.redhat.com/errata/RHSA-2002:027"
},
{
"category": "external",
"summary": "http://bugzilla.gnome.org/show_bug.cgi?id=70594",
"url": "http://bugzilla.gnome.org/show_bug.cgi?id=70594"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_027.json"
}
],
"title": "Red Hat Security Advisory: : Vulnerability in zlib library (powertools)",
"tracking": {
"current_release_date": "2025-10-09T12:31:10+00:00",
"generator": {
"date": "2025-10-09T12:31:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2002:027",
"initial_release_date": "2002-03-11T18:09:00+00:00",
"revision_history": [
{
"date": "2002-03-11T18:09:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2002-03-11T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-09T12:31:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Powertools 6.2",
"product": {
"name": "Red Hat Powertools 6.2",
"product_id": "Red Hat Powertools 6.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:powertools:6.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Powertools 7.0",
"product": {
"name": "Red Hat Powertools 7.0",
"product_id": "Red Hat Powertools 7.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:powertools:7.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Powertools 7.1",
"product": {
"name": "Red Hat Powertools 7.1",
"product_id": "Red Hat Powertools 7.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:powertools:7.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Powertools"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0059",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2002-03-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616731"
}
],
"notes": [
{
"category": "description",
"text": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zlib: Double free in inflateEnd",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Powertools 6.2",
"Red Hat Powertools 7.0",
"Red Hat Powertools 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0059"
},
{
"category": "external",
"summary": "RHBZ#1616731",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616731"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0059"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059"
}
],
"release_date": "2002-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-03-11T18:09:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Powertools 6.2",
"Red Hat Powertools 7.0",
"Red Hat Powertools 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:027"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Powertools 6.2",
"Red Hat Powertools 7.0",
"Red Hat Powertools 7.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zlib: Double free in inflateEnd"
}
]
}
RHSA-2002:026
Vulnerability from csaf_redhat
Published
2002-03-11 20:15
Modified
2025-10-09 12:31
Summary
Red Hat Security Advisory: : : : Vulnerability in zlib library
Notes
Topic
[Update 20 Mar 2002:
Added kernel packages for Red Hat Linux 6.2 on sparc64. Updated VNC
packages as the previous fix caused another denial of service
vulnerability; thanks to Const Kaplinsky for reporting this]
[Update 14 Mar 2002:
Updated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing
the zlib fix; added missing kernel-headers package for 6.2.]
The zlib library provides in-memory compression/decompression
functions. The library is widely used throughout Linux and other
operating
systems.
While performing tests on the gdk-pixbuf library, Matthias Clasen created
an invalid PNG image that caused libpng to crash. Upon further
investigation, this turned out to be a bug in zlib 1.1.3 where certain
types of input will cause zlib to free the same area of memory twice
(called a "double free").
This bug can be used to crash any program that takes untrusted
compressed input. Web browsers or email programs that
display image attachments or other programs that uncompress data are
particularly affected. This vulnerability makes it easy to perform
various
denial-of-service attacks against such programs.
It is also possible that an attacker could manage a more significant
exploit, since the result of a double free is the corruption of the
malloc() implementation's data structures. This could include running
arbitrary code on local or remote systems.
Most packages in Red Hat Linux use the shared zlib library and can be
protected against vulnerability by updating to the errata zlib
package. However, we have identified a number of packages in Red Hat
Linux that either statically link to zlib or contain an internal
version of zlib code.
Although no exploits for this issue or these packages are currently
known to exist, this is a serious vulnerability which could be
locally or remotely exploited. All users should upgrade affected packages
immediately.
Additionally, if you have any programs that you have compiled yourself,
you should check to see if they use zlib. If they link to the shared
zlib library then they will not be vulnerable once the shared zlib
library is updated to the errata package. However, if any programs that
decompress arbitrary data statically link to zlib or use their own
version
of the zlib code internally, then they need to be patched or
recompiled.
Details
The following details apply to the main Red Hat Linux distribution
only. Please see advisory RHSA-2002:027 for Powertools packages.
cvs: cvs is a version control system. The cvs package has been rebuilt to
link against the shared system zlib instead of the internal version.
Additionally, cvs has been updated to version 1.11.1p1 for Red Hat Linux
6.2, 7.0 and 7.1 which also corrects a possible security vulnerability due
to an improperly initialized global variable. (CAN-2002-0092)
dump: The dump package contains programs for backing up and restoring
filesystems. It links statically to zlib and has been rebuilt
against the errata zlib package. Red Hat Linux 7, 7.1, and 7.2
packages have also been upgraded to dump-0.4b25, which includes
many non-security fixes.
gcc3: The gcc3 package contains the GNU Compiler Collection version
3.0. It has been updated to version 3.0.4 and patched to link against
the system zlib instead of the internal version.
libgcj: The libgcj package includes the Java runtime library, which is
needed to run Java programs compiled using the gcc Java compiler
(gcj). libgcj has been patched to use the shared system zlib.
kernel: The Linux kernel internally contains several variants of zlib
code. However, ppp compression is the only implementation that is used with
untrusted data streams. This issue has been patched. New kernel errata
packages are included for Red Hat Linux 6.2 and 7.
Users of Red Hat Linux 7.1, or 7.2 should update to the currently
released kernel errata RHSA-2002-028 (2.4.9-31) which already contains this
fix.
Netscape Navigator: Users are advised to obtain an update from Netscape.
rsync: rsync is a program for synchronizing files over a network.
rsync uses a modified version of zlib internally. These errata
packages patch this internal version of zlib.
The rsync update package also fixes another security issue where rsync did
not call setgroups() before dropping the privileges of the connecting user.
Hence, it is possible for users to retain the group IDs of any supplemental
groups that rsync was started in (for example, supplementary groups of the
root user), allowing users to access files they may not otherwise be able
to access. Thanks to Martin Pool and Andrew Tridgell for alerting us to
this issue. CAN-2002-0080.
VNC: VNC is a remote display system in Powertools 6.2. VNC has been
patched to use the system zlib library.
In addition, there is a small HTTP server implementation in the VNC server
which can be made to wait indefinitely for input, thereby freezing an
active VNC session. The VNC packages recommended by this advisory have
been patched to fix this issue. Users of VNC should be aware that the
program is designed for use on a trusted network.
zlib: The zlib library has been updated with a patch to fix the
aforementioned vulnerability.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "[Update 20 Mar 2002:\nAdded kernel packages for Red Hat Linux 6.2 on sparc64. Updated VNC\npackages as the previous fix caused another denial of service\nvulnerability; thanks to Const Kaplinsky for reporting this]\n\n[Update 14 Mar 2002: \nUpdated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing \nthe zlib fix; added missing kernel-headers package for 6.2.]\n \nThe zlib library provides in-memory compression/decompression \nfunctions. The library is widely used throughout Linux and other \noperating \nsystems. \n \nWhile performing tests on the gdk-pixbuf library, Matthias Clasen created \nan invalid PNG image that caused libpng to crash. Upon further \ninvestigation, this turned out to be a bug in zlib 1.1.3 where certain \ntypes of input will cause zlib to free the same area of memory twice \n(called a \"double free\"). \n \nThis bug can be used to crash any program that takes untrusted \ncompressed input. Web browsers or email programs that \ndisplay image attachments or other programs that uncompress data are \nparticularly affected. This vulnerability makes it easy to perform \nvarious \ndenial-of-service attacks against such programs. \n \nIt is also possible that an attacker could manage a more significant \nexploit, since the result of a double free is the corruption of the \nmalloc() implementation\u0027s data structures. This could include running \narbitrary code on local or remote systems. \n \nMost packages in Red Hat Linux use the shared zlib library and can be \nprotected against vulnerability by updating to the errata zlib \npackage. However, we have identified a number of packages in Red Hat \nLinux that either statically link to zlib or contain an internal \nversion of zlib code. \n \nAlthough no exploits for this issue or these packages are currently \nknown to exist, this is a serious vulnerability which could be \nlocally or remotely exploited. All users should upgrade affected packages \nimmediately. \n \nAdditionally, if you have any programs that you have compiled yourself, \nyou should check to see if they use zlib. If they link to the shared \nzlib library then they will not be vulnerable once the shared zlib \nlibrary is updated to the errata package. However, if any programs that \ndecompress arbitrary data statically link to zlib or use their own \nversion \nof the zlib code internally, then they need to be patched or \nrecompiled.",
"title": "Topic"
},
{
"category": "general",
"text": "The following details apply to the main Red Hat Linux distribution\nonly. Please see advisory RHSA-2002:027 for Powertools packages.\n\ncvs: cvs is a version control system. The cvs package has been rebuilt to\nlink against the shared system zlib instead of the internal version. \n\nAdditionally, cvs has been updated to version 1.11.1p1 for Red Hat Linux\n6.2, 7.0 and 7.1 which also corrects a possible security vulnerability due\nto an improperly initialized global variable. (CAN-2002-0092)\n\ndump: The dump package contains programs for backing up and restoring\nfilesystems. It links statically to zlib and has been rebuilt\nagainst the errata zlib package. Red Hat Linux 7, 7.1, and 7.2\npackages have also been upgraded to dump-0.4b25, which includes\nmany non-security fixes.\n\ngcc3: The gcc3 package contains the GNU Compiler Collection version\n3.0. It has been updated to version 3.0.4 and patched to link against\nthe system zlib instead of the internal version.\n\nlibgcj: The libgcj package includes the Java runtime library, which is\nneeded to run Java programs compiled using the gcc Java compiler\n(gcj). libgcj has been patched to use the shared system zlib.\n\nkernel: The Linux kernel internally contains several variants of zlib \ncode. However, ppp compression is the only implementation that is used with\nuntrusted data streams. This issue has been patched. New kernel errata\npackages are included for Red Hat Linux 6.2 and 7. \n\nUsers of Red Hat Linux 7.1, or 7.2 should update to the currently\nreleased kernel errata RHSA-2002-028 (2.4.9-31) which already contains this\nfix.\n\nNetscape Navigator: Users are advised to obtain an update from Netscape.\n\nrsync: rsync is a program for synchronizing files over a network.\nrsync uses a modified version of zlib internally. These errata\npackages patch this internal version of zlib.\n\nThe rsync update package also fixes another security issue where rsync did\nnot call setgroups() before dropping the privileges of the connecting user.\nHence, it is possible for users to retain the group IDs of any supplemental\ngroups that rsync was started in (for example, supplementary groups of the\nroot user), allowing users to access files they may not otherwise be able\nto access. Thanks to Martin Pool and Andrew Tridgell for alerting us to\nthis issue. CAN-2002-0080.\n\nVNC: VNC is a remote display system in Powertools 6.2. VNC has been\npatched to use the system zlib library. \n\nIn addition, there is a small HTTP server implementation in the VNC server\nwhich can be made to wait indefinitely for input, thereby freezing an\nactive VNC session. The VNC packages recommended by this advisory have\nbeen patched to fix this issue. Users of VNC should be aware that the\nprogram is designed for use on a trusted network.\n\nzlib: The zlib library has been updated with a patch to fix the\naforementioned vulnerability.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2002:026",
"url": "https://access.redhat.com/errata/RHSA-2002:026"
},
{
"category": "external",
"summary": "http://bugzilla.gnome.org/show_bug.cgi?id=70594",
"url": "http://bugzilla.gnome.org/show_bug.cgi?id=70594"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_026.json"
}
],
"title": "Red Hat Security Advisory: : : : Vulnerability in zlib library",
"tracking": {
"current_release_date": "2025-10-09T12:31:09+00:00",
"generator": {
"date": "2025-10-09T12:31:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2002:026",
"initial_release_date": "2002-03-11T20:15:00+00:00",
"revision_history": [
{
"date": "2002-03-11T20:15:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2002-03-11T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-09T12:31:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 6.2",
"product": {
"name": "Red Hat Linux 6.2",
"product_id": "Red Hat Linux 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:6.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.0",
"product": {
"name": "Red Hat Linux 7.0",
"product_id": "Red Hat Linux 7.0",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.2",
"product": {
"name": "Red Hat Linux 7.2",
"product_id": "Red Hat Linux 7.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0059",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2002-03-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616731"
}
],
"notes": [
{
"category": "description",
"text": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zlib: Double free in inflateEnd",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0059"
},
{
"category": "external",
"summary": "RHBZ#1616731",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616731"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0059"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059"
}
],
"release_date": "2002-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-03-11T20:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nThe procedure for upgrading the kernel is documented at:\n\n http://www.redhat.com/support/docs/howto/kernel-upgrade/\n\nPlease read the directions for your architecture carefully before\nproceeding with the kernel upgrade.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:026"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zlib: Double free in inflateEnd"
},
{
"cve": "CVE-2002-0080",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616738"
}
],
"notes": [
{
"category": "description",
"text": "rsync, when running in daemon mode, does not properly call setgroups before dropping privileges, which could provide supplemental group privileges to local users, who could then read certain files that would otherwise be disallowed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0080"
},
{
"category": "external",
"summary": "RHBZ#1616738",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616738"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0080",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0080"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0080",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0080"
}
],
"release_date": "2002-03-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-03-11T20:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nThe procedure for upgrading the kernel is documented at:\n\n http://www.redhat.com/support/docs/howto/kernel-upgrade/\n\nPlease read the directions for your architecture carefully before\nproceeding with the kernel upgrade.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:026"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0092",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616742"
}
],
"notes": [
{
"category": "description",
"text": "CVS before 1.10.8 does not properly initialize a global variable, which allows remote attackers to cause a denial of service (server crash) via the diff capability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0092"
},
{
"category": "external",
"summary": "RHBZ#1616742",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616742"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0092",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0092"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0092",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0092"
}
],
"release_date": "2002-02-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-03-11T20:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nThe procedure for upgrading the kernel is documented at:\n\n http://www.redhat.com/support/docs/howto/kernel-upgrade/\n\nPlease read the directions for your architecture carefully before\nproceeding with the kernel upgrade.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:026"
}
],
"title": "security flaw"
}
]
}
RHSA-2002:027
Vulnerability from csaf_redhat
Published
2002-03-11 18:09
Modified
2025-10-09 12:31
Summary
Red Hat Security Advisory: : Vulnerability in zlib library (powertools)
Notes
Topic
[Update 20 Mar 2002:
VNC packages updated to fix another denial of service vulnerability caused
by the previous update. Thanks to Const Kaplinsky for discovering this
issue.]
The zlib compression library provides in-memory compression and
decompression functions. It is widely used throughout Linux
and other operating systems.
While performing tests on the gdk-pixbuf library, Matthias Clasen created
an invalid PNG image that caused libpng to crash. Upon further
investigation, this turned out to be a bug in zlib 1.1.3. Certain
input will cause zlib to free an area of memory twice (also called a
"double free").
This bug can be used to crash any program that takes untrusted compressed
input. Web browsers or email programs that display image attachments or
other programs that uncompress data are particularly affected. This
vulnerability makes it easy to perform various denial-of-service attacks
against such programs.
However, since the result of a double free is the corruption of the
malloc implementation's data structures, it is possible that an attacker
could manage a more significant exploit, such as running arbitrary code on
the affected system.
Details
Most of the packages in Red Hat Linux use the shared zlib library and can
be protected against vulnerability by updating to the errata zlib
package. However, there have been a number of packages identified in Red
Hat Linux that either statically link to zlib or contain an internal
version of zlib code.
Although no exploits for this issue or the affected packages are currently
known to exist, this is a serious vulnerability that could be locally or
remotely exploited. All users should upgrade affected packages
immediately.
Additionally, if you have any programs that you have compiled yourself
you should check to see if they use zlib. If they link to the shared
zlib library then they will not be vulnerable once the shared zlib
library is updated to the errata package. If any programs that decompress
arbitrary data either statically link to zlib or use their own version of
the zlib code internally, then they need to be patched or recompiled.
The following details apply to the Powertools distribution only;
for packages included with the main Red Hat Linux distribution
please see advisory RHSA-2002:026
abiword: Powertools 6.2 shipped with both statically and
dynamically linked versions of AbiWord. The statically linked version
is linked against the vulnerable zlib. It is recommended that users
only use the dynamic version.
acroread: The acroread package in Powertools 7.0 contains Acrobat
Reader, a PDF viewer. This package contains an internal version of
zlib which may be vulnerable. An update is not yet available, so users are
advised to view PDF documents using xpdf or ghostview.
amaya: Amaya is a Web browser/authoring tool. Amaya in Powertools 7.1
has been patched to use the system zlib, libjpeg, and libpng libraries
instead of the internal static versions.
flash: The flash package in Powertools 6.2 and 7.0 contains an
unofficial Shockwave(TM) Flash2/Flash3 plug-in for Netscape which uses
an internal version of zlib. This plug-in conflicts with the official
flash plug-in included in the netscape package and should not be used.
freeamp: Freeamp is an MP3 audio player in Powertools 6.2 and 7.0 which
uses zlib when decompressing themes. Freeamp has been patched
to use the system zlib library instead of the internal version.
qt-embedded: Qt is a GUI toolkit for embedded devices. qt-embedded has
been updated to version 2.3.2 and recompiled against the errata zlib
library.
vnc: VNC is a remote display system in Powertools 6.2. VNC has been
patched to use the system zlib library.
In addition, there is a small HTTP server implementation in the VNC server
which can be made to wait indefinitely for input, thereby freezing an
active VNC session. The VNC packages recommended by this advisory have
been patched to fix this issue, as well. Users of VNC should be aware the
program is designed for use on a trusted network.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "[Update 20 Mar 2002:\nVNC packages updated to fix another denial of service vulnerability caused\nby the previous update. Thanks to Const Kaplinsky for discovering this\nissue.]\n \nThe zlib compression library provides in-memory compression and \ndecompression functions. It is widely used throughout Linux \nand other operating systems. \n \nWhile performing tests on the gdk-pixbuf library, Matthias Clasen created \nan invalid PNG image that caused libpng to crash. Upon further \ninvestigation, this turned out to be a bug in zlib 1.1.3. Certain \ninput will cause zlib to free an area of memory twice (also called a \n\"double free\"). \n \nThis bug can be used to crash any program that takes untrusted compressed \ninput. Web browsers or email programs that display image attachments or \nother programs that uncompress data are particularly affected. This \nvulnerability makes it easy to perform various denial-of-service attacks \nagainst such programs. \n \nHowever, since the result of a double free is the corruption of the \nmalloc implementation\u0027s data structures, it is possible that an attacker\ncould manage a more significant exploit, such as running arbitrary code on\nthe affected system.",
"title": "Topic"
},
{
"category": "general",
"text": "Most of the packages in Red Hat Linux use the shared zlib library and can\nbe protected against vulnerability by updating to the errata zlib\npackage. However, there have been a number of packages identified in Red\nHat Linux that either statically link to zlib or contain an internal\nversion of zlib code.\n\nAlthough no exploits for this issue or the affected packages are currently\nknown to exist, this is a serious vulnerability that could be locally or\nremotely exploited. All users should upgrade affected packages\nimmediately.\n\nAdditionally, if you have any programs that you have compiled yourself\nyou should check to see if they use zlib. If they link to the shared\nzlib library then they will not be vulnerable once the shared zlib\nlibrary is updated to the errata package. If any programs that decompress\narbitrary data either statically link to zlib or use their own version of\nthe zlib code internally, then they need to be patched or recompiled.\n\nThe following details apply to the Powertools distribution only;\nfor packages included with the main Red Hat Linux distribution\nplease see advisory RHSA-2002:026\n\nabiword: Powertools 6.2 shipped with both statically and\ndynamically linked versions of AbiWord. The statically linked version\nis linked against the vulnerable zlib. It is recommended that users\nonly use the dynamic version.\n\nacroread: The acroread package in Powertools 7.0 contains Acrobat\nReader, a PDF viewer. This package contains an internal version of\nzlib which may be vulnerable. An update is not yet available, so users are\nadvised to view PDF documents using xpdf or ghostview.\n\namaya: Amaya is a Web browser/authoring tool. Amaya in Powertools 7.1\nhas been patched to use the system zlib, libjpeg, and libpng libraries\ninstead of the internal static versions.\n\nflash: The flash package in Powertools 6.2 and 7.0 contains an\nunofficial Shockwave(TM) Flash2/Flash3 plug-in for Netscape which uses\nan internal version of zlib. This plug-in conflicts with the official\nflash plug-in included in the netscape package and should not be used.\n\nfreeamp: Freeamp is an MP3 audio player in Powertools 6.2 and 7.0 which\nuses zlib when decompressing themes. Freeamp has been patched\nto use the system zlib library instead of the internal version.\n\nqt-embedded: Qt is a GUI toolkit for embedded devices. qt-embedded has\nbeen updated to version 2.3.2 and recompiled against the errata zlib\nlibrary.\n\nvnc: VNC is a remote display system in Powertools 6.2. VNC has been\npatched to use the system zlib library. \n\nIn addition, there is a small HTTP server implementation in the VNC server\nwhich can be made to wait indefinitely for input, thereby freezing an\nactive VNC session. The VNC packages recommended by this advisory have\nbeen patched to fix this issue, as well. Users of VNC should be aware the\nprogram is designed for use on a trusted network.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2002:027",
"url": "https://access.redhat.com/errata/RHSA-2002:027"
},
{
"category": "external",
"summary": "http://bugzilla.gnome.org/show_bug.cgi?id=70594",
"url": "http://bugzilla.gnome.org/show_bug.cgi?id=70594"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_027.json"
}
],
"title": "Red Hat Security Advisory: : Vulnerability in zlib library (powertools)",
"tracking": {
"current_release_date": "2025-10-09T12:31:10+00:00",
"generator": {
"date": "2025-10-09T12:31:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2002:027",
"initial_release_date": "2002-03-11T18:09:00+00:00",
"revision_history": [
{
"date": "2002-03-11T18:09:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2002-03-11T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-09T12:31:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Powertools 6.2",
"product": {
"name": "Red Hat Powertools 6.2",
"product_id": "Red Hat Powertools 6.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:powertools:6.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Powertools 7.0",
"product": {
"name": "Red Hat Powertools 7.0",
"product_id": "Red Hat Powertools 7.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:powertools:7.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Powertools 7.1",
"product": {
"name": "Red Hat Powertools 7.1",
"product_id": "Red Hat Powertools 7.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:powertools:7.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Powertools"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0059",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2002-03-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616731"
}
],
"notes": [
{
"category": "description",
"text": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zlib: Double free in inflateEnd",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Powertools 6.2",
"Red Hat Powertools 7.0",
"Red Hat Powertools 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0059"
},
{
"category": "external",
"summary": "RHBZ#1616731",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616731"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0059"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059"
}
],
"release_date": "2002-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-03-11T18:09:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Powertools 6.2",
"Red Hat Powertools 7.0",
"Red Hat Powertools 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:027"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Powertools 6.2",
"Red Hat Powertools 7.0",
"Red Hat Powertools 7.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zlib: Double free in inflateEnd"
}
]
}
rhsa-2002_026
Vulnerability from csaf_redhat
Published
2002-03-11 20:15
Modified
2024-11-21 22:16
Summary
Red Hat Security Advisory: : : : Vulnerability in zlib library
Notes
Topic
[Update 20 Mar 2002:
Added kernel packages for Red Hat Linux 6.2 on sparc64. Updated VNC
packages as the previous fix caused another denial of service
vulnerability; thanks to Const Kaplinsky for reporting this]
[Update 14 Mar 2002:
Updated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing
the zlib fix; added missing kernel-headers package for 6.2.]
The zlib library provides in-memory compression/decompression
functions. The library is widely used throughout Linux and other
operating
systems.
While performing tests on the gdk-pixbuf library, Matthias Clasen created
an invalid PNG image that caused libpng to crash. Upon further
investigation, this turned out to be a bug in zlib 1.1.3 where certain
types of input will cause zlib to free the same area of memory twice
(called a "double free").
This bug can be used to crash any program that takes untrusted
compressed input. Web browsers or email programs that
display image attachments or other programs that uncompress data are
particularly affected. This vulnerability makes it easy to perform
various
denial-of-service attacks against such programs.
It is also possible that an attacker could manage a more significant
exploit, since the result of a double free is the corruption of the
malloc() implementation's data structures. This could include running
arbitrary code on local or remote systems.
Most packages in Red Hat Linux use the shared zlib library and can be
protected against vulnerability by updating to the errata zlib
package. However, we have identified a number of packages in Red Hat
Linux that either statically link to zlib or contain an internal
version of zlib code.
Although no exploits for this issue or these packages are currently
known to exist, this is a serious vulnerability which could be
locally or remotely exploited. All users should upgrade affected packages
immediately.
Additionally, if you have any programs that you have compiled yourself,
you should check to see if they use zlib. If they link to the shared
zlib library then they will not be vulnerable once the shared zlib
library is updated to the errata package. However, if any programs that
decompress arbitrary data statically link to zlib or use their own
version
of the zlib code internally, then they need to be patched or
recompiled.
Details
The following details apply to the main Red Hat Linux distribution
only. Please see advisory RHSA-2002:027 for Powertools packages.
cvs: cvs is a version control system. The cvs package has been rebuilt to
link against the shared system zlib instead of the internal version.
Additionally, cvs has been updated to version 1.11.1p1 for Red Hat Linux
6.2, 7.0 and 7.1 which also corrects a possible security vulnerability due
to an improperly initialized global variable. (CAN-2002-0092)
dump: The dump package contains programs for backing up and restoring
filesystems. It links statically to zlib and has been rebuilt
against the errata zlib package. Red Hat Linux 7, 7.1, and 7.2
packages have also been upgraded to dump-0.4b25, which includes
many non-security fixes.
gcc3: The gcc3 package contains the GNU Compiler Collection version
3.0. It has been updated to version 3.0.4 and patched to link against
the system zlib instead of the internal version.
libgcj: The libgcj package includes the Java runtime library, which is
needed to run Java programs compiled using the gcc Java compiler
(gcj). libgcj has been patched to use the shared system zlib.
kernel: The Linux kernel internally contains several variants of zlib
code. However, ppp compression is the only implementation that is used with
untrusted data streams. This issue has been patched. New kernel errata
packages are included for Red Hat Linux 6.2 and 7.
Users of Red Hat Linux 7.1, or 7.2 should update to the currently
released kernel errata RHSA-2002-028 (2.4.9-31) which already contains this
fix.
Netscape Navigator: Users are advised to obtain an update from Netscape.
rsync: rsync is a program for synchronizing files over a network.
rsync uses a modified version of zlib internally. These errata
packages patch this internal version of zlib.
The rsync update package also fixes another security issue where rsync did
not call setgroups() before dropping the privileges of the connecting user.
Hence, it is possible for users to retain the group IDs of any supplemental
groups that rsync was started in (for example, supplementary groups of the
root user), allowing users to access files they may not otherwise be able
to access. Thanks to Martin Pool and Andrew Tridgell for alerting us to
this issue. CAN-2002-0080.
VNC: VNC is a remote display system in Powertools 6.2. VNC has been
patched to use the system zlib library.
In addition, there is a small HTTP server implementation in the VNC server
which can be made to wait indefinitely for input, thereby freezing an
active VNC session. The VNC packages recommended by this advisory have
been patched to fix this issue. Users of VNC should be aware that the
program is designed for use on a trusted network.
zlib: The zlib library has been updated with a patch to fix the
aforementioned vulnerability.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "[Update 20 Mar 2002:\nAdded kernel packages for Red Hat Linux 6.2 on sparc64. Updated VNC\npackages as the previous fix caused another denial of service\nvulnerability; thanks to Const Kaplinsky for reporting this]\n\n[Update 14 Mar 2002: \nUpdated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing \nthe zlib fix; added missing kernel-headers package for 6.2.]\n \nThe zlib library provides in-memory compression/decompression \nfunctions. The library is widely used throughout Linux and other \noperating \nsystems. \n \nWhile performing tests on the gdk-pixbuf library, Matthias Clasen created \nan invalid PNG image that caused libpng to crash. Upon further \ninvestigation, this turned out to be a bug in zlib 1.1.3 where certain \ntypes of input will cause zlib to free the same area of memory twice \n(called a \"double free\"). \n \nThis bug can be used to crash any program that takes untrusted \ncompressed input. Web browsers or email programs that \ndisplay image attachments or other programs that uncompress data are \nparticularly affected. This vulnerability makes it easy to perform \nvarious \ndenial-of-service attacks against such programs. \n \nIt is also possible that an attacker could manage a more significant \nexploit, since the result of a double free is the corruption of the \nmalloc() implementation\u0027s data structures. This could include running \narbitrary code on local or remote systems. \n \nMost packages in Red Hat Linux use the shared zlib library and can be \nprotected against vulnerability by updating to the errata zlib \npackage. However, we have identified a number of packages in Red Hat \nLinux that either statically link to zlib or contain an internal \nversion of zlib code. \n \nAlthough no exploits for this issue or these packages are currently \nknown to exist, this is a serious vulnerability which could be \nlocally or remotely exploited. All users should upgrade affected packages \nimmediately. \n \nAdditionally, if you have any programs that you have compiled yourself, \nyou should check to see if they use zlib. If they link to the shared \nzlib library then they will not be vulnerable once the shared zlib \nlibrary is updated to the errata package. However, if any programs that \ndecompress arbitrary data statically link to zlib or use their own \nversion \nof the zlib code internally, then they need to be patched or \nrecompiled.",
"title": "Topic"
},
{
"category": "general",
"text": "The following details apply to the main Red Hat Linux distribution\nonly. Please see advisory RHSA-2002:027 for Powertools packages.\n\ncvs: cvs is a version control system. The cvs package has been rebuilt to\nlink against the shared system zlib instead of the internal version. \n\nAdditionally, cvs has been updated to version 1.11.1p1 for Red Hat Linux\n6.2, 7.0 and 7.1 which also corrects a possible security vulnerability due\nto an improperly initialized global variable. (CAN-2002-0092)\n\ndump: The dump package contains programs for backing up and restoring\nfilesystems. It links statically to zlib and has been rebuilt\nagainst the errata zlib package. Red Hat Linux 7, 7.1, and 7.2\npackages have also been upgraded to dump-0.4b25, which includes\nmany non-security fixes.\n\ngcc3: The gcc3 package contains the GNU Compiler Collection version\n3.0. It has been updated to version 3.0.4 and patched to link against\nthe system zlib instead of the internal version.\n\nlibgcj: The libgcj package includes the Java runtime library, which is\nneeded to run Java programs compiled using the gcc Java compiler\n(gcj). libgcj has been patched to use the shared system zlib.\n\nkernel: The Linux kernel internally contains several variants of zlib \ncode. However, ppp compression is the only implementation that is used with\nuntrusted data streams. This issue has been patched. New kernel errata\npackages are included for Red Hat Linux 6.2 and 7. \n\nUsers of Red Hat Linux 7.1, or 7.2 should update to the currently\nreleased kernel errata RHSA-2002-028 (2.4.9-31) which already contains this\nfix.\n\nNetscape Navigator: Users are advised to obtain an update from Netscape.\n\nrsync: rsync is a program for synchronizing files over a network.\nrsync uses a modified version of zlib internally. These errata\npackages patch this internal version of zlib.\n\nThe rsync update package also fixes another security issue where rsync did\nnot call setgroups() before dropping the privileges of the connecting user.\nHence, it is possible for users to retain the group IDs of any supplemental\ngroups that rsync was started in (for example, supplementary groups of the\nroot user), allowing users to access files they may not otherwise be able\nto access. Thanks to Martin Pool and Andrew Tridgell for alerting us to\nthis issue. CAN-2002-0080.\n\nVNC: VNC is a remote display system in Powertools 6.2. VNC has been\npatched to use the system zlib library. \n\nIn addition, there is a small HTTP server implementation in the VNC server\nwhich can be made to wait indefinitely for input, thereby freezing an\nactive VNC session. The VNC packages recommended by this advisory have\nbeen patched to fix this issue. Users of VNC should be aware that the\nprogram is designed for use on a trusted network.\n\nzlib: The zlib library has been updated with a patch to fix the\naforementioned vulnerability.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2002:026",
"url": "https://access.redhat.com/errata/RHSA-2002:026"
},
{
"category": "external",
"summary": "http://bugzilla.gnome.org/show_bug.cgi?id=70594",
"url": "http://bugzilla.gnome.org/show_bug.cgi?id=70594"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_026.json"
}
],
"title": "Red Hat Security Advisory: : : : Vulnerability in zlib library",
"tracking": {
"current_release_date": "2024-11-21T22:16:52+00:00",
"generator": {
"date": "2024-11-21T22:16:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2002:026",
"initial_release_date": "2002-03-11T20:15:00+00:00",
"revision_history": [
{
"date": "2002-03-11T20:15:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2002-03-11T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:16:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Linux 6.2",
"product": {
"name": "Red Hat Linux 6.2",
"product_id": "Red Hat Linux 6.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:6.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.0",
"product": {
"name": "Red Hat Linux 7.0",
"product_id": "Red Hat Linux 7.0",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.1",
"product": {
"name": "Red Hat Linux 7.1",
"product_id": "Red Hat Linux 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat Linux 7.2",
"product": {
"name": "Red Hat Linux 7.2",
"product_id": "Red Hat Linux 7.2",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:linux:7.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0059",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2002-03-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616731"
}
],
"notes": [
{
"category": "description",
"text": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zlib: Double free in inflateEnd",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0059"
},
{
"category": "external",
"summary": "RHBZ#1616731",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616731"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0059"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059"
}
],
"release_date": "2002-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-03-11T20:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nThe procedure for upgrading the kernel is documented at:\n\n http://www.redhat.com/support/docs/howto/kernel-upgrade/\n\nPlease read the directions for your architecture carefully before\nproceeding with the kernel upgrade.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:026"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zlib: Double free in inflateEnd"
},
{
"cve": "CVE-2002-0080",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616738"
}
],
"notes": [
{
"category": "description",
"text": "rsync, when running in daemon mode, does not properly call setgroups before dropping privileges, which could provide supplemental group privileges to local users, who could then read certain files that would otherwise be disallowed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0080"
},
{
"category": "external",
"summary": "RHBZ#1616738",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616738"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0080",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0080"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0080",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0080"
}
],
"release_date": "2002-03-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-03-11T20:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nThe procedure for upgrading the kernel is documented at:\n\n http://www.redhat.com/support/docs/howto/kernel-upgrade/\n\nPlease read the directions for your architecture carefully before\nproceeding with the kernel upgrade.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:026"
}
],
"title": "security flaw"
},
{
"cve": "CVE-2002-0092",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616742"
}
],
"notes": [
{
"category": "description",
"text": "CVS before 1.10.8 does not properly initialize a global variable, which allows remote attackers to cause a denial of service (server crash) via the diff capability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "security flaw",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0092"
},
{
"category": "external",
"summary": "RHBZ#1616742",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616742"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0092",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0092"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0092",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0092"
}
],
"release_date": "2002-02-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-03-11T20:15:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nThe procedure for upgrading the kernel is documented at:\n\n http://www.redhat.com/support/docs/howto/kernel-upgrade/\n\nPlease read the directions for your architecture carefully before\nproceeding with the kernel upgrade.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Linux 6.2",
"Red Hat Linux 7.0",
"Red Hat Linux 7.1",
"Red Hat Linux 7.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:026"
}
],
"title": "security flaw"
}
]
}
rhsa-2002_027
Vulnerability from csaf_redhat
Published
2002-03-11 18:09
Modified
2024-11-21 22:16
Summary
Red Hat Security Advisory: : Vulnerability in zlib library (powertools)
Notes
Topic
[Update 20 Mar 2002:
VNC packages updated to fix another denial of service vulnerability caused
by the previous update. Thanks to Const Kaplinsky for discovering this
issue.]
The zlib compression library provides in-memory compression and
decompression functions. It is widely used throughout Linux
and other operating systems.
While performing tests on the gdk-pixbuf library, Matthias Clasen created
an invalid PNG image that caused libpng to crash. Upon further
investigation, this turned out to be a bug in zlib 1.1.3. Certain
input will cause zlib to free an area of memory twice (also called a
"double free").
This bug can be used to crash any program that takes untrusted compressed
input. Web browsers or email programs that display image attachments or
other programs that uncompress data are particularly affected. This
vulnerability makes it easy to perform various denial-of-service attacks
against such programs.
However, since the result of a double free is the corruption of the
malloc implementation's data structures, it is possible that an attacker
could manage a more significant exploit, such as running arbitrary code on
the affected system.
Details
Most of the packages in Red Hat Linux use the shared zlib library and can
be protected against vulnerability by updating to the errata zlib
package. However, there have been a number of packages identified in Red
Hat Linux that either statically link to zlib or contain an internal
version of zlib code.
Although no exploits for this issue or the affected packages are currently
known to exist, this is a serious vulnerability that could be locally or
remotely exploited. All users should upgrade affected packages
immediately.
Additionally, if you have any programs that you have compiled yourself
you should check to see if they use zlib. If they link to the shared
zlib library then they will not be vulnerable once the shared zlib
library is updated to the errata package. If any programs that decompress
arbitrary data either statically link to zlib or use their own version of
the zlib code internally, then they need to be patched or recompiled.
The following details apply to the Powertools distribution only;
for packages included with the main Red Hat Linux distribution
please see advisory RHSA-2002:026
abiword: Powertools 6.2 shipped with both statically and
dynamically linked versions of AbiWord. The statically linked version
is linked against the vulnerable zlib. It is recommended that users
only use the dynamic version.
acroread: The acroread package in Powertools 7.0 contains Acrobat
Reader, a PDF viewer. This package contains an internal version of
zlib which may be vulnerable. An update is not yet available, so users are
advised to view PDF documents using xpdf or ghostview.
amaya: Amaya is a Web browser/authoring tool. Amaya in Powertools 7.1
has been patched to use the system zlib, libjpeg, and libpng libraries
instead of the internal static versions.
flash: The flash package in Powertools 6.2 and 7.0 contains an
unofficial Shockwave(TM) Flash2/Flash3 plug-in for Netscape which uses
an internal version of zlib. This plug-in conflicts with the official
flash plug-in included in the netscape package and should not be used.
freeamp: Freeamp is an MP3 audio player in Powertools 6.2 and 7.0 which
uses zlib when decompressing themes. Freeamp has been patched
to use the system zlib library instead of the internal version.
qt-embedded: Qt is a GUI toolkit for embedded devices. qt-embedded has
been updated to version 2.3.2 and recompiled against the errata zlib
library.
vnc: VNC is a remote display system in Powertools 6.2. VNC has been
patched to use the system zlib library.
In addition, there is a small HTTP server implementation in the VNC server
which can be made to wait indefinitely for input, thereby freezing an
active VNC session. The VNC packages recommended by this advisory have
been patched to fix this issue, as well. Users of VNC should be aware the
program is designed for use on a trusted network.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "[Update 20 Mar 2002:\nVNC packages updated to fix another denial of service vulnerability caused\nby the previous update. Thanks to Const Kaplinsky for discovering this\nissue.]\n \nThe zlib compression library provides in-memory compression and \ndecompression functions. It is widely used throughout Linux \nand other operating systems. \n \nWhile performing tests on the gdk-pixbuf library, Matthias Clasen created \nan invalid PNG image that caused libpng to crash. Upon further \ninvestigation, this turned out to be a bug in zlib 1.1.3. Certain \ninput will cause zlib to free an area of memory twice (also called a \n\"double free\"). \n \nThis bug can be used to crash any program that takes untrusted compressed \ninput. Web browsers or email programs that display image attachments or \nother programs that uncompress data are particularly affected. This \nvulnerability makes it easy to perform various denial-of-service attacks \nagainst such programs. \n \nHowever, since the result of a double free is the corruption of the \nmalloc implementation\u0027s data structures, it is possible that an attacker\ncould manage a more significant exploit, such as running arbitrary code on\nthe affected system.",
"title": "Topic"
},
{
"category": "general",
"text": "Most of the packages in Red Hat Linux use the shared zlib library and can\nbe protected against vulnerability by updating to the errata zlib\npackage. However, there have been a number of packages identified in Red\nHat Linux that either statically link to zlib or contain an internal\nversion of zlib code.\n\nAlthough no exploits for this issue or the affected packages are currently\nknown to exist, this is a serious vulnerability that could be locally or\nremotely exploited. All users should upgrade affected packages\nimmediately.\n\nAdditionally, if you have any programs that you have compiled yourself\nyou should check to see if they use zlib. If they link to the shared\nzlib library then they will not be vulnerable once the shared zlib\nlibrary is updated to the errata package. If any programs that decompress\narbitrary data either statically link to zlib or use their own version of\nthe zlib code internally, then they need to be patched or recompiled.\n\nThe following details apply to the Powertools distribution only;\nfor packages included with the main Red Hat Linux distribution\nplease see advisory RHSA-2002:026\n\nabiword: Powertools 6.2 shipped with both statically and\ndynamically linked versions of AbiWord. The statically linked version\nis linked against the vulnerable zlib. It is recommended that users\nonly use the dynamic version.\n\nacroread: The acroread package in Powertools 7.0 contains Acrobat\nReader, a PDF viewer. This package contains an internal version of\nzlib which may be vulnerable. An update is not yet available, so users are\nadvised to view PDF documents using xpdf or ghostview.\n\namaya: Amaya is a Web browser/authoring tool. Amaya in Powertools 7.1\nhas been patched to use the system zlib, libjpeg, and libpng libraries\ninstead of the internal static versions.\n\nflash: The flash package in Powertools 6.2 and 7.0 contains an\nunofficial Shockwave(TM) Flash2/Flash3 plug-in for Netscape which uses\nan internal version of zlib. This plug-in conflicts with the official\nflash plug-in included in the netscape package and should not be used.\n\nfreeamp: Freeamp is an MP3 audio player in Powertools 6.2 and 7.0 which\nuses zlib when decompressing themes. Freeamp has been patched\nto use the system zlib library instead of the internal version.\n\nqt-embedded: Qt is a GUI toolkit for embedded devices. qt-embedded has\nbeen updated to version 2.3.2 and recompiled against the errata zlib\nlibrary.\n\nvnc: VNC is a remote display system in Powertools 6.2. VNC has been\npatched to use the system zlib library. \n\nIn addition, there is a small HTTP server implementation in the VNC server\nwhich can be made to wait indefinitely for input, thereby freezing an\nactive VNC session. The VNC packages recommended by this advisory have\nbeen patched to fix this issue, as well. Users of VNC should be aware the\nprogram is designed for use on a trusted network.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2002:027",
"url": "https://access.redhat.com/errata/RHSA-2002:027"
},
{
"category": "external",
"summary": "http://bugzilla.gnome.org/show_bug.cgi?id=70594",
"url": "http://bugzilla.gnome.org/show_bug.cgi?id=70594"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_027.json"
}
],
"title": "Red Hat Security Advisory: : Vulnerability in zlib library (powertools)",
"tracking": {
"current_release_date": "2024-11-21T22:16:55+00:00",
"generator": {
"date": "2024-11-21T22:16:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2002:027",
"initial_release_date": "2002-03-11T18:09:00+00:00",
"revision_history": [
{
"date": "2002-03-11T18:09:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2002-03-11T00:00:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-21T22:16:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Powertools 6.2",
"product": {
"name": "Red Hat Powertools 6.2",
"product_id": "Red Hat Powertools 6.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:powertools:6.2"
}
}
},
{
"category": "product_name",
"name": "Red Hat Powertools 7.0",
"product": {
"name": "Red Hat Powertools 7.0",
"product_id": "Red Hat Powertools 7.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:powertools:7.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat Powertools 7.1",
"product": {
"name": "Red Hat Powertools 7.1",
"product_id": "Red Hat Powertools 7.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:powertools:7.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Powertools"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2002-0059",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2002-03-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1616731"
}
],
"notes": [
{
"category": "description",
"text": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "zlib: Double free in inflateEnd",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Powertools 6.2",
"Red Hat Powertools 7.0",
"Red Hat Powertools 7.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2002-0059"
},
{
"category": "external",
"summary": "RHBZ#1616731",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616731"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2002-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0059"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059"
}
],
"release_date": "2002-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2002-03-11T18:09:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe\ndesired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
"product_ids": [
"Red Hat Powertools 6.2",
"Red Hat Powertools 7.0",
"Red Hat Powertools 7.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2002:027"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Powertools 6.2",
"Red Hat Powertools 7.0",
"Red Hat Powertools 7.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "zlib: Double free in inflateEnd"
}
]
}
CERTFR-2024-AVI-0145
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une exécution de code arbitraire à distance et une élévation de privilèges.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Db2 | IBM Cloud APM, Advanced Private versions 8.1.4 sans le dernier correctif de sécurité Fixpack cumulatif Db2 | ||
| IBM | QRadar Suite Software | QRadar Suite Software versions 1.10.x.x antérieures à 1.10.18.0 | ||
| IBM | N/A | IBM Db2 sur Cloud Pak pour Data et Db2 Warehouse sur Cloud Pak for Data versions antérieures à v4.8.2 | ||
| IBM | QRadar SIEM | IBM QRadar SIEM versions 7.5.x antérieures à 7.5.0 UP7 IF05 | ||
| IBM | QRadar | IBM QRadar Use Case Manager App versions antérieures à 3.9.0 | ||
| IBM | WebSphere | IBM WebSphere Application Server versions 8.5.x.x sans le SDK version 8 Service Refresh 8 FP20 | ||
| IBM | WebSphere | IBM WebSphere Application Server Liberty sans le SDK version 8 Service Refresh 8 FP20 | ||
| IBM | Sterling Connect:Direct | IBM Sterling Connect:Direct Web Services versions 6.1.x.x antérieures à 6.1.0.23 | ||
| IBM | Sterling Connect:Direct | IBM Sterling Connect:Direct Web Services versions 6.3.x.x antérieures à 6.3.0.6 | ||
| IBM | Sterling Connect:Direct | IBM Sterling Connect:Direct Web Services versions 6.2.x.x antérieures à 6.2.0.22 | ||
| IBM | Db2 | IBM Cloud APM, Base Private versions 8.1.4 sans le dernier correctif de sécurité Fixpack cumulatif Db2 | ||
| IBM | Cloud Pak | IBM Cloud Pak for Security versions 1.10.x.x antérieures à 1.10.18.0 | ||
| IBM | Spectrum | IBM Spectrum Scale versions 5.1.x.x antérieures à 5.1.2.15 | ||
| IBM | WebSphere | IBM WebSphere Application Server versions 9.x sans le SDK version 8 Service Refresh 8 FP20 | ||
| IBM | QRadar WinCollect Agent | IBM QRadar WinCollect Agent versions 10.0.x antérieures à 10.1.9 | ||
| IBM | Spectrum | IBM Spectrum Scale versions 5.1.3.x antérieures à 5.1.9.2 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Cloud APM, Advanced Private versions 8.1.4 sans le dernier correctif de s\u00e9curit\u00e9 Fixpack cumulatif Db2",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Suite Software versions 1.10.x.x ant\u00e9rieures \u00e0 1.10.18.0",
"product": {
"name": "QRadar Suite Software",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Db2 sur Cloud Pak pour Data et Db2 Warehouse sur Cloud Pak for Data versions ant\u00e9rieures \u00e0 v4.8.2",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP7 IF05",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar Use Case Manager App versions ant\u00e9rieures \u00e0 3.9.0",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM WebSphere Application Server versions 8.5.x.x sans le SDK version 8 Service Refresh 8 FP20",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM WebSphere Application Server Liberty sans le SDK version 8 Service Refresh 8 FP20",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Sterling Connect:Direct Web Services versions 6.1.x.x ant\u00e9rieures \u00e0 6.1.0.23",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Sterling Connect:Direct Web Services versions 6.3.x.x ant\u00e9rieures \u00e0 6.3.0.6",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Sterling Connect:Direct Web Services versions 6.2.x.x ant\u00e9rieures \u00e0 6.2.0.22",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Cloud APM, Base Private versions 8.1.4 sans le dernier correctif de s\u00e9curit\u00e9 Fixpack cumulatif Db2",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Cloud Pak for Security versions 1.10.x.x ant\u00e9rieures \u00e0 1.10.18.0",
"product": {
"name": "Cloud Pak",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Scale versions 5.1.x.x ant\u00e9rieures \u00e0 5.1.2.15",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM WebSphere Application Server versions 9.x sans le SDK version 8 Service Refresh 8 FP20",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar WinCollect Agent versions 10.0.x ant\u00e9rieures \u00e0 10.1.9",
"product": {
"name": "QRadar WinCollect Agent",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Scale versions 5.1.3.x ant\u00e9rieures \u00e0 5.1.9.2",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2015-8385",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8385"
},
{
"name": "CVE-2015-8388",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8388"
},
{
"name": "CVE-2015-8392",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8392"
},
{
"name": "CVE-2015-2327",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2327"
},
{
"name": "CVE-2015-8394",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8394"
},
{
"name": "CVE-2015-8395",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8395"
},
{
"name": "CVE-2015-8387",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8387"
},
{
"name": "CVE-2015-8391",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8391"
},
{
"name": "CVE-2015-8383",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8383"
},
{
"name": "CVE-2015-8390",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8390"
},
{
"name": "CVE-2015-8381",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8381"
},
{
"name": "CVE-2015-8386",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8386"
},
{
"name": "CVE-2015-2328",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2328"
},
{
"name": "CVE-2020-14155",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14155"
},
{
"name": "CVE-2021-31525",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
},
{
"name": "CVE-2021-3712",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3712"
},
{
"name": "CVE-2021-3711",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3711"
},
{
"name": "CVE-2021-22926",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22926"
},
{
"name": "CVE-2021-22947",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22947"
},
{
"name": "CVE-2021-22946",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22946"
},
{
"name": "CVE-2021-36221",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-36221"
},
{
"name": "CVE-2021-29923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29923"
},
{
"name": "CVE-2021-33197",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33197"
},
{
"name": "CVE-2021-34558",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34558"
},
{
"name": "CVE-2021-33195",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33195"
},
{
"name": "CVE-2021-4160",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4160"
},
{
"name": "CVE-2021-44716",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44716"
},
{
"name": "CVE-2021-41772",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41772"
},
{
"name": "CVE-2021-41771",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41771"
},
{
"name": "CVE-2022-3602",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3602"
},
{
"name": "CVE-2022-37434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37434"
},
{
"name": "CVE-2022-30633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30633"
},
{
"name": "CVE-2022-1705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1705"
},
{
"name": "CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
},
{
"name": "CVE-2022-28131",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28131"
},
{
"name": "CVE-2022-32148",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32148"
},
{
"name": "CVE-2022-32189",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32189"
},
{
"name": "CVE-2022-1962",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1962"
},
{
"name": "CVE-2022-30635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30635"
},
{
"name": "CVE-2022-32149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32149"
},
{
"name": "CVE-2022-30631",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30631"
},
{
"name": "CVE-2022-30632",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30632"
},
{
"name": "CVE-2022-30630",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30630"
},
{
"name": "CVE-2022-3786",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3786"
},
{
"name": "CVE-2022-3515",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3515"
},
{
"name": "CVE-2022-32206",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32206"
},
{
"name": "CVE-2018-25032",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-25032"
},
{
"name": "CVE-2021-22925",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22925"
},
{
"name": "CVE-2021-22923",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22923"
},
{
"name": "CVE-2021-22922",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22922"
},
{
"name": "CVE-2022-23773",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23773"
},
{
"name": "CVE-2022-23772",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23772"
},
{
"name": "CVE-2022-23806",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23806"
},
{
"name": "CVE-2022-0778",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0778"
},
{
"name": "CVE-2022-24921",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24921"
},
{
"name": "CVE-2022-1292",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1292"
},
{
"name": "CVE-2021-39293",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39293"
},
{
"name": "CVE-2021-33196",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33196"
},
{
"name": "CVE-2022-22576",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22576"
},
{
"name": "CVE-2022-27776",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27776"
},
{
"name": "CVE-2022-2068",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2068"
},
{
"name": "CVE-2021-27918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27918"
},
{
"name": "CVE-2021-41190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-41190"
},
{
"name": "CVE-2021-33194",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33194"
},
{
"name": "CVE-2022-2097",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2097"
},
{
"name": "CVE-2022-28327",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28327"
},
{
"name": "CVE-2022-24675",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24675"
},
{
"name": "CVE-2022-27782",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27782"
},
{
"name": "CVE-2022-32208",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32208"
},
{
"name": "CVE-2022-27781",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27781"
},
{
"name": "CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"name": "CVE-2022-43548",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43548"
},
{
"name": "CVE-2022-32221",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32221"
},
{
"name": "CVE-2022-35252",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-35252"
},
{
"name": "CVE-2022-43552",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43552"
},
{
"name": "CVE-2022-4304",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4304"
},
{
"name": "CVE-2023-0286",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0286"
},
{
"name": "CVE-2023-0215",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0215"
},
{
"name": "CVE-2022-4450",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4450"
},
{
"name": "CVE-2022-25881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25881"
},
{
"name": "CVE-2023-23916",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23916"
},
{
"name": "CVE-2022-29244",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29244"
},
{
"name": "CVE-2022-41717",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41717"
},
{
"name": "CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"name": "CVE-2023-0464",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0464"
},
{
"name": "CVE-2022-2879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2879"
},
{
"name": "CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"name": "CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"name": "CVE-2022-41716",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41716"
},
{
"name": "CVE-2023-0466",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0466"
},
{
"name": "CVE-2023-0465",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0465"
},
{
"name": "CVE-2022-30629",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30629"
},
{
"name": "CVE-2022-41723",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
},
{
"name": "CVE-2022-30580",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30580"
},
{
"name": "CVE-2022-41725",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41725"
},
{
"name": "CVE-2022-41724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41724"
},
{
"name": "CVE-2022-24999",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24999"
},
{
"name": "CVE-2023-21937",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21937"
},
{
"name": "CVE-2023-21939",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21939"
},
{
"name": "CVE-2023-21967",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21967"
},
{
"name": "CVE-2023-21930",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21930"
},
{
"name": "CVE-2023-23918",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
},
{
"name": "CVE-2023-21968",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21968"
},
{
"name": "CVE-2023-21938",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21938"
},
{
"name": "CVE-2023-21954",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21954"
},
{
"name": "CVE-2020-8244",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8244"
},
{
"name": "CVE-2023-23920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23920"
},
{
"name": "CVE-2023-23919",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23919"
},
{
"name": "CVE-2023-23936",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23936"
},
{
"name": "CVE-2023-24532",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24532"
},
{
"name": "CVE-2023-24537",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24537"
},
{
"name": "CVE-2023-32360",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32360"
},
{
"name": "CVE-2023-2650",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2650"
},
{
"name": "CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"name": "CVE-2023-2597",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2597"
},
{
"name": "CVE-2023-24536",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24536"
},
{
"name": "CVE-2023-24538",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24538"
},
{
"name": "CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"name": "CVE-2023-28320",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28320"
},
{
"name": "CVE-2023-28321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28321"
},
{
"name": "CVE-2023-24540",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24540"
},
{
"name": "CVE-2023-29400",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29400"
},
{
"name": "CVE-2023-24539",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24539"
},
{
"name": "CVE-2023-3446",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3446"
},
{
"name": "CVE-2023-28319",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28319"
},
{
"name": "CVE-2023-20593",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20593"
},
{
"name": "CVE-2023-3611",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3611"
},
{
"name": "CVE-2022-40982",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40982"
},
{
"name": "CVE-2023-20569",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20569"
},
{
"name": "CVE-2023-29404",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29404"
},
{
"name": "CVE-2023-29402",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29402"
},
{
"name": "CVE-2023-29403",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29403"
},
{
"name": "CVE-2023-29405",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29405"
},
{
"name": "CVE-2023-3776",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3776"
},
{
"name": "CVE-2023-4128",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4128"
},
{
"name": "CVE-2021-33198",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33198"
},
{
"name": "CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"name": "CVE-2023-2976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2976"
},
{
"name": "CVE-2021-38297",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-38297"
},
{
"name": "CVE-2022-25883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25883"
},
{
"name": "CVE-2023-37920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37920"
},
{
"name": "CVE-2023-26048",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26048"
},
{
"name": "CVE-2023-26049",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26049"
},
{
"name": "CVE-2023-4206",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4206"
},
{
"name": "CVE-2023-4208",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4208"
},
{
"name": "CVE-2023-4207",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4207"
},
{
"name": "CVE-2023-29409",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29409"
},
{
"name": "CVE-2023-29406",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29406"
},
{
"name": "CVE-2023-32681",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32681"
},
{
"name": "CVE-2023-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
},
{
"name": "CVE-2023-45648",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45648"
},
{
"name": "CVE-2023-42795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42795"
},
{
"name": "CVE-2023-30991",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-30991"
},
{
"name": "CVE-2022-48339",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48339"
},
{
"name": "CVE-2023-33850",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33850"
},
{
"name": "CVE-2023-39976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39976"
},
{
"name": "CVE-2023-38325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38325"
},
{
"name": "CVE-2023-22081",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22081"
},
{
"name": "CVE-2023-38546",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38546"
},
{
"name": "CVE-2023-38545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38545"
},
{
"name": "CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"name": "CVE-2023-5363",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5363"
},
{
"name": "CVE-2023-32002",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32002"
},
{
"name": "CVE-2023-4807",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4807"
},
{
"name": "CVE-2023-5678",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5678"
},
{
"name": "CVE-2023-45803",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45803"
},
{
"name": "CVE-2023-44270",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44270"
},
{
"name": "CVE-2020-15586",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15586"
},
{
"name": "CVE-2020-28362",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28362"
},
{
"name": "CVE-2020-14039",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14039"
},
{
"name": "CVE-2020-16845",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16845"
},
{
"name": "CVE-2021-3114",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3114"
},
{
"name": "CVE-2020-24553",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24553"
},
{
"name": "CVE-2020-28366",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28366"
},
{
"name": "CVE-2020-28367",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28367"
},
{
"name": "CVE-2023-34054",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34054"
},
{
"name": "CVE-2023-34053",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34053"
},
{
"name": "CVE-2023-34055",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34055"
},
{
"name": "CVE-2023-46589",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46589"
},
{
"name": "CVE-2023-43642",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43642"
},
{
"name": "CVE-2002-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0059"
},
{
"name": "CVE-2023-38003",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38003"
},
{
"name": "CVE-2023-32731",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32731"
},
{
"name": "CVE-2023-45133",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45133"
},
{
"name": "CVE-2015-8393",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8393"
},
{
"name": "CVE-2020-19909",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-19909"
},
{
"name": "CVE-2023-30987",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-30987"
},
{
"name": "CVE-2023-38719",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38719"
},
{
"name": "CVE-2023-40374",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40374"
},
{
"name": "CVE-2023-38728",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38728"
},
{
"name": "CVE-2023-38720",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38720"
},
{
"name": "CVE-2023-38740",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38740"
},
{
"name": "CVE-2023-40372",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40372"
},
{
"name": "CVE-2023-40373",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40373"
},
{
"name": "CVE-2023-47145",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47145"
},
{
"name": "CVE-2024-20918",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20918"
},
{
"name": "CVE-2024-20945",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20945"
},
{
"name": "CVE-2024-20952",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20952"
},
{
"name": "CVE-2024-20921",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20921"
},
{
"name": "CVE-2023-39323",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39323"
},
{
"name": "CVE-2023-45857",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45857"
},
{
"name": "CVE-2023-5676",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5676"
},
{
"name": "CVE-2023-46308",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46308"
},
{
"name": "CVE-2023-32006",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32006"
},
{
"name": "CVE-2023-32559",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32559"
},
{
"name": "CVE-2023-24534",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24534"
},
{
"name": "CVE-2023-6129",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6129"
},
{
"name": "CVE-2022-23541",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23541"
},
{
"name": "CVE-2022-36046",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36046"
},
{
"name": "CVE-2023-40692",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40692"
},
{
"name": "CVE-2023-44981",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44981"
},
{
"name": "CVE-2023-38727",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38727"
},
{
"name": "CVE-2023-45142",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45142"
},
{
"name": "CVE-2022-48337",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48337"
},
{
"name": "CVE-2023-47627",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47627"
},
{
"name": "CVE-2023-47701",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47701"
},
{
"name": "CVE-2023-49081",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49081"
},
{
"name": "CVE-2023-26159",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26159"
},
{
"name": "CVE-2023-29258",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29258"
},
{
"name": "CVE-2023-39332",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39332"
},
{
"name": "CVE-2023-46218",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46218"
},
{
"name": "CVE-2024-22190",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22190"
},
{
"name": "CVE-2023-4586",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4586"
},
{
"name": "CVE-2023-43020",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43020"
},
{
"name": "CVE-2023-37276",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37276"
},
{
"name": "CVE-2023-47152",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47152"
},
{
"name": "CVE-2023-49082",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-49082"
},
{
"name": "CVE-2023-46219",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46219"
},
{
"name": "CVE-2023-47141",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47141"
},
{
"name": "CVE-2023-39318",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39318"
},
{
"name": "CVE-2023-38552",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38552"
},
{
"name": "CVE-2023-46167",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46167"
},
{
"name": "CVE-2023-27859",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27859"
},
{
"name": "CVE-2023-47158",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47158"
},
{
"name": "CVE-2023-36665",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-36665"
},
{
"name": "CVE-2022-23529",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23529"
},
{
"name": "CVE-2023-40687",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40687"
},
{
"name": "CVE-2022-23539",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23539"
},
{
"name": "CVE-2023-6681",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-6681"
},
{
"name": "CVE-2022-23540",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23540"
},
{
"name": "CVE-2023-46234",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46234"
},
{
"name": "CVE-2023-50308",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50308"
},
{
"name": "CVE-2023-39331",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39331"
},
{
"name": "CVE-2023-45178",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45178"
},
{
"name": "CVE-2023-45193",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45193"
},
{
"name": "CVE-2023-39319",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39319"
},
{
"name": "CVE-2020-29510",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-29510"
},
{
"name": "CVE-2023-47746",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47746"
},
{
"name": "CVE-2023-34062",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34062"
},
{
"name": "CVE-2023-47747",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47747"
},
{
"name": "CVE-2024-0727",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-0727"
},
{
"name": "CVE-2023-46158",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46158"
},
{
"name": "CVE-2023-26115",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26115"
}
],
"initial_release_date": "2024-02-16T00:00:00",
"last_revision_date": "2024-02-16T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0145",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-02-16T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits IBM\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9\ndes donn\u00e9es, une ex\u00e9cution de code arbitraire \u00e0 distance et une\n\u00e9l\u00e9vation de privil\u00e8ges.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117872 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117872"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7118592 du 16 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7118592"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117873 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117873"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7118289 du 15 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7118289"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7118351 du 15 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7118351"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117821 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117821"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117883 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117883"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117881 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117881"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7117884 du 14 f\u00e9vrier 2024",
"url": "https://www.ibm.com/support/pages/node/7117884"
}
]
}
CERTFR-2024-AVI-0939
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Sterling | Sterling External Authentication Server versions 6.0.x antérieures à 6.0.3.1 | ||
| IBM | QRadar | QRadar App SDK versions antérieures à 2.2.2 | ||
| IBM | Sterling | Sterling Secure Proxy versions 6.0.x antérieures à 6.0.3.1 | ||
| IBM | Cloud Pak | Cloud Pak versions antérieures à 2.3.5.0 pour Power | ||
| IBM | Cloud Pak | Cloud Pak versions antérieures à 2.3.4.1 pour Intel | ||
| IBM | Sterling | Sterling External Authentication Server versions 6.1.x antérieures à 6.1.0.2 | ||
| IBM | Sterling | Sterling Secure Proxy versions 6.1.x antérieures à 6.1.0.1 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Sterling External Authentication Server versions 6.0.x ant\u00e9rieures \u00e0 6.0.3.1",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar App SDK versions ant\u00e9rieures \u00e0 2.2.2",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.0.x ant\u00e9rieures \u00e0 6.0.3.1",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cloud Pak versions ant\u00e9rieures \u00e0 2.3.5.0 pour Power",
"product": {
"name": "Cloud Pak",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cloud Pak versions ant\u00e9rieures \u00e0 2.3.4.1 pour Intel",
"product": {
"name": "Cloud Pak",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling External Authentication Server versions 6.1.x ant\u00e9rieures \u00e0 6.1.0.2",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Secure Proxy versions 6.1.x ant\u00e9rieures \u00e0 6.1.0.1 ",
"product": {
"name": "Sterling",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-20919",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20919"
},
{
"name": "CVE-2015-2327",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2327"
},
{
"name": "CVE-2023-43642",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43642"
},
{
"name": "CVE-2024-37891",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37891"
},
{
"name": "CVE-2015-8383",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8383"
},
{
"name": "CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"name": "CVE-2023-47747",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47747"
},
{
"name": "CVE-2023-47158",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47158"
},
{
"name": "CVE-2024-20926",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20926"
},
{
"name": "CVE-2023-46167",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46167"
},
{
"name": "CVE-2023-38740",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38740"
},
{
"name": "CVE-2023-45853",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45853"
},
{
"name": "CVE-2023-38719",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38719"
},
{
"name": "CVE-2023-45178",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45178"
},
{
"name": "CVE-2023-47701",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47701"
},
{
"name": "CVE-2023-50308",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50308"
},
{
"name": "CVE-2023-40687",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40687"
},
{
"name": "CVE-2023-52296",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52296"
},
{
"name": "CVE-2015-8381",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8381"
},
{
"name": "CVE-2024-25046",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25046"
},
{
"name": "CVE-2024-31881",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31881"
},
{
"name": "CVE-2015-8392",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8392"
},
{
"name": "CVE-2024-20921",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20921"
},
{
"name": "CVE-2015-8395",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8395"
},
{
"name": "CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"name": "CVE-2015-8393",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8393"
},
{
"name": "CVE-2024-31880",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-31880"
},
{
"name": "CVE-2024-29025",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29025"
},
{
"name": "CVE-2024-28762",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28762"
},
{
"name": "CVE-2024-34062",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34062"
},
{
"name": "CVE-2024-26308",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26308"
},
{
"name": "CVE-2023-47746",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47746"
},
{
"name": "CVE-2024-27254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27254"
},
{
"name": "CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"name": "CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"name": "CVE-2023-47141",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47141"
},
{
"name": "CVE-2024-29131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
},
{
"name": "CVE-2015-8388",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8388"
},
{
"name": "CVE-2018-25032",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-25032"
},
{
"name": "CVE-2023-40692",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40692"
},
{
"name": "CVE-2023-38003",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38003"
},
{
"name": "CVE-2024-25710",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25710"
},
{
"name": "CVE-2022-37434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37434"
},
{
"name": "CVE-2024-29133",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
},
{
"name": "CVE-2024-35195",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35195"
},
{
"name": "CVE-2024-22360",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22360"
},
{
"name": "CVE-2024-5569",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-5569"
},
{
"name": "CVE-2023-38729",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38729"
},
{
"name": "CVE-2023-33850",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33850"
},
{
"name": "CVE-2015-8385",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8385"
},
{
"name": "CVE-2015-8394",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8394"
},
{
"name": "CVE-2015-8391",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8391"
},
{
"name": "CVE-2015-8386",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8386"
},
{
"name": "CVE-2015-8387",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8387"
},
{
"name": "CVE-2023-38727",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38727"
},
{
"name": "CVE-2023-29258",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29258"
},
{
"name": "CVE-2023-29267",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29267"
},
{
"name": "CVE-2002-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0059"
},
{
"name": "CVE-2023-43020",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43020"
},
{
"name": "CVE-2023-27859",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27859"
},
{
"name": "CVE-2023-32731",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32731"
},
{
"name": "CVE-2015-2328",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2328"
},
{
"name": "CVE-2024-20918",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20918"
},
{
"name": "CVE-2024-3651",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-3651"
},
{
"name": "CVE-2020-14155",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14155"
},
{
"name": "CVE-2023-40374",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40374"
},
{
"name": "CVE-2015-8390",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8390"
},
{
"name": "CVE-2024-20945",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20945"
},
{
"name": "CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"name": "CVE-2024-39689",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39689"
},
{
"name": "CVE-2023-40372",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40372"
},
{
"name": "CVE-2023-47152",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47152"
},
{
"name": "CVE-2012-2677",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-2677"
},
{
"name": "CVE-2024-20952",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20952"
}
],
"initial_release_date": "2024-10-31T00:00:00",
"last_revision_date": "2024-10-31T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0939",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-10-31T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2024-10-30",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7174441",
"url": "https://www.ibm.com/support/pages/node/7174441"
},
{
"published_at": "2024-10-30",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7174420",
"url": "https://www.ibm.com/support/pages/node/7174420"
},
{
"published_at": "2024-10-28",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7169788",
"url": "https://www.ibm.com/support/pages/node/7169788"
},
{
"published_at": "2024-10-30",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7174440",
"url": "https://www.ibm.com/support/pages/node/7174440"
}
]
}
CERTFR-2023-AVI-1007
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | N/A | IBM Informix Dynamic Server versions antérieures à 14.10.FC10W1 | ||
| IBM | QRadar User Behavior Analytics | QRadar User Behavior Analytics versions antérieures à 4.1.14 | ||
| IBM | Db2 | IBM Db2 versions 10.5.0.x, 11.1.4.x et 11.5.x sans les derniers correctifs de sécurité temporaires (les sorties des versions correctives seront annoncées ultérieurement) |
References
| Title | Publication Time | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Informix Dynamic Server versions ant\u00e9rieures \u00e0 14.10.FC10W1",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar User Behavior Analytics versions ant\u00e9rieures \u00e0 4.1.14",
"product": {
"name": "QRadar User Behavior Analytics",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Db2 versions 10.5.0.x, 11.1.4.x et 11.5.x sans les derniers correctifs de s\u00e9curit\u00e9 temporaires (les sorties des versions correctives seront annonc\u00e9es ult\u00e9rieurement)",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2015-2327",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2327"
},
{
"name": "CVE-2023-43642",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43642"
},
{
"name": "CVE-2015-8383",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8383"
},
{
"name": "CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"name": "CVE-2023-28523",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28523"
},
{
"name": "CVE-2015-8381",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8381"
},
{
"name": "CVE-2015-8392",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8392"
},
{
"name": "CVE-2023-44270",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44270"
},
{
"name": "CVE-2015-8395",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8395"
},
{
"name": "CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"name": "CVE-2015-8393",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8393"
},
{
"name": "CVE-2023-45133",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45133"
},
{
"name": "CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"name": "CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"name": "CVE-2015-8388",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8388"
},
{
"name": "CVE-2018-25032",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-25032"
},
{
"name": "CVE-2023-38003",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38003"
},
{
"name": "CVE-2023-28527",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28527"
},
{
"name": "CVE-2022-37434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37434"
},
{
"name": "CVE-2015-8385",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8385"
},
{
"name": "CVE-2015-8394",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8394"
},
{
"name": "CVE-2015-8391",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8391"
},
{
"name": "CVE-2015-8386",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8386"
},
{
"name": "CVE-2015-8387",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8387"
},
{
"name": "CVE-2002-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0059"
},
{
"name": "CVE-2023-32731",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32731"
},
{
"name": "CVE-2015-2328",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2328"
},
{
"name": "CVE-2023-28526",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28526"
},
{
"name": "CVE-2020-14155",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14155"
},
{
"name": "CVE-2015-8390",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8390"
},
{
"name": "CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
}
],
"initial_release_date": "2023-12-08T00:00:00",
"last_revision_date": "2023-12-08T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-1007",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-12-08T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7087225 du 01 d\u00e9cembre 2023",
"url": "https://www.ibm.com/support/pages/node/7087225"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7070188 du 04 d\u00e9cembre 2023",
"url": "https://www.ibm.com/support/pages/node/7070188"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7087162 du 01 d\u00e9cembre 2023",
"url": "https://www.ibm.com/support/pages/node/7087162"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7090362 du 05 d\u00e9cembre 2023",
"url": "https://www.ibm.com/support/pages/node/7090362"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7087234 du 01 d\u00e9cembre 2023",
"url": "https://www.ibm.com/support/pages/node/7087234"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7078681 du 01 d\u00e9cembre 2023",
"url": "https://www.ibm.com/support/pages/node/7078681"
}
]
}
gsd-2002-0059
Vulnerability from gsd
Modified
2023-12-13 01:24
Details
The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2002-0059",
"description": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.",
"id": "GSD-2002-0059",
"references": [
"https://www.debian.org/security/2002/dsa-122",
"https://access.redhat.com/errata/RHSA-2002:027",
"https://access.redhat.com/errata/RHSA-2002:026"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2002-0059"
],
"details": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.",
"id": "GSD-2002-0059",
"modified": "2023-12-13T01:24:08.001841Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2002-0059",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "CA-2002-07",
"refsource": "CERT",
"url": "http://www.cert.org/advisories/CA-2002-07.html"
},
{
"name": "MDKSA-2002:022",
"refsource": "MANDRAKE",
"url": "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:022"
},
{
"name": "4267",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/4267"
},
{
"name": "zlib-doublefree-memory-corruption(8427)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/8427"
},
{
"name": "HPSBTL0204-030",
"refsource": "HP",
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-030"
},
{
"name": "CLA-2002:469",
"refsource": "CONECTIVA",
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000469"
},
{
"name": "MDKSA-2002:023",
"refsource": "MANDRAKE",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php"
},
{
"name": "DSA-122",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2002/dsa-122"
},
{
"name": "CSSA-2002-015.1",
"refsource": "CALDERA",
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-015.1.txt"
},
{
"name": "MDKSA-2002:024",
"refsource": "MANDRAKE",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3"
},
{
"name": "VU#368819",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/368819"
},
{
"name": "RHSA-2002:027",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2002-027.html"
},
{
"name": "CSSA-2002-014.1",
"refsource": "CALDERA",
"url": "http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt"
},
{
"name": "HPSBTL0204-036",
"refsource": "HP",
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-036"
},
{
"name": "RHSA-2002:026",
"refsource": "REDHAT",
"url": "http://www.redhat.com/support/errata/RHSA-2002-026.html"
},
{
"name": "HPSBTL0204-037",
"refsource": "HP",
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-037"
}
]
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*",
"matchCriteriaId": "312997A2-05E3-4B6E-B5B9-5058314FC4DC",
"versionEndIncluding": "1.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data."
},
{
"lang": "es",
"value": "El algoritmo de descompresi\u00f3n en la librer\u00eda zlib 1.1.3 y anteriores, usada en muchas utilidades y paquetes, obliga a que la funci\u00f3n \"inflateEnd\" libere cierta memoria m\u00e1s de una vez (hacer un \"free\" dos veces), lo cual permite que atacantes remotos y locales ejecuten c\u00f3digo arbitrario a trav\u00e9s de bloques deformados de datos comprimidos."
}
],
"id": "CVE-2002-0059",
"lastModified": "2024-02-02T15:16:30.483",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2002-03-15T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-015.1.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000469"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:022"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.cert.org/advisories/CA-2002-07.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.debian.org/security/2002/dsa-122"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/368819"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Patch",
"Vendor Advisory"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Patch",
"Vendor Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2002-026.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Patch",
"Vendor Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2002-027.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/4267"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-030"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-036"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-037"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/8427"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-415"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
}
}
}
ghsa-8894-p74v-5485
Vulnerability from github
Published
2022-05-03 03:07
Modified
2022-05-03 03:07
VLAI Severity ?
Details
The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.
{
"affected": [],
"aliases": [
"CVE-2002-0059"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-03-15T05:00:00Z",
"severity": "HIGH"
},
"details": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.",
"id": "GHSA-8894-p74v-5485",
"modified": "2022-05-03T03:07:47Z",
"published": "2022-05-03T03:07:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0059"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/8427"
},
{
"type": "WEB",
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000469"
},
{
"type": "WEB",
"url": "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:022"
},
{
"type": "WEB",
"url": "http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt"
},
{
"type": "WEB",
"url": "http://www.cert.org/advisories/CA-2002-07.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2002/dsa-122"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/368819"
},
{
"type": "WEB",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php"
},
{
"type": "WEB",
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2002-026.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2002-027.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/4267"
},
{
"type": "WEB",
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-030"
},
{
"type": "WEB",
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-036"
},
{
"type": "WEB",
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-037"
}
],
"schema_version": "1.4.0",
"severity": []
}
fkie_cve-2002-0059
Vulnerability from fkie_nvd
Published
2002-03-15 05:00
Modified
2025-04-03 01:03
Severity ?
Summary
The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-015.1.txt | Broken Link | |
| cve@mitre.org | http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000469 | Broken Link | |
| cve@mitre.org | http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:022 | Broken Link | |
| cve@mitre.org | http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt | Broken Link | |
| cve@mitre.org | http://www.cert.org/advisories/CA-2002-07.html | Third Party Advisory, US Government Resource | |
| cve@mitre.org | http://www.debian.org/security/2002/dsa-122 | Broken Link | |
| cve@mitre.org | http://www.kb.cert.org/vuls/id/368819 | Third Party Advisory, US Government Resource | |
| cve@mitre.org | http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php | Broken Link, Patch, Vendor Advisory | |
| cve@mitre.org | http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3 | Broken Link | |
| cve@mitre.org | http://www.redhat.com/support/errata/RHSA-2002-026.html | Broken Link, Patch, Vendor Advisory | |
| cve@mitre.org | http://www.redhat.com/support/errata/RHSA-2002-027.html | Broken Link, Patch, Vendor Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/4267 | Broken Link, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-030 | Broken Link | |
| cve@mitre.org | http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-036 | Broken Link | |
| cve@mitre.org | http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-037 | Broken Link | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/8427 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-015.1.txt | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000469 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:022 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.cert.org/advisories/CA-2002-07.html | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2002/dsa-122 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/368819 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php | Broken Link, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.redhat.com/support/errata/RHSA-2002-026.html | Broken Link, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.redhat.com/support/errata/RHSA-2002-027.html | Broken Link, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/4267 | Broken Link, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-030 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-036 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-037 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/8427 | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*",
"matchCriteriaId": "312997A2-05E3-4B6E-B5B9-5058314FC4DC",
"versionEndIncluding": "1.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a \"double free\"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data."
},
{
"lang": "es",
"value": "El algoritmo de descompresi\u00f3n en la librer\u00eda zlib 1.1.3 y anteriores, usada en muchas utilidades y paquetes, obliga a que la funci\u00f3n \"inflateEnd\" libere cierta memoria m\u00e1s de una vez (hacer un \"free\" dos veces), lo cual permite que atacantes remotos y locales ejecuten c\u00f3digo arbitrario a trav\u00e9s de bloques deformados de datos comprimidos."
}
],
"id": "CVE-2002-0059",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2002-03-15T05:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-015.1.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000469"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:022"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.cert.org/advisories/CA-2002-07.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.debian.org/security/2002/dsa-122"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/368819"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Patch",
"Vendor Advisory"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Patch",
"Vendor Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2002-026.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Patch",
"Vendor Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2002-027.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/4267"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-030"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-036"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-037"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/8427"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2002-015.1.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000469"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://frontal2.mandriva.com/security/advisories?name=MDKSA-2002:022"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.caldera.com/support/security/advisories/CSSA-2002-014.1.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.cert.org/advisories/CA-2002-07.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.debian.org/security/2002/dsa-122"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/368819"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Patch",
"Vendor Advisory"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-023.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-024.php3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Patch",
"Vendor Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2002-026.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Patch",
"Vendor Advisory"
],
"url": "http://www.redhat.com/support/errata/RHSA-2002-027.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/4267"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-030"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-036"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBTL0204-037"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/8427"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-415"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…