A local or remote unprivileged user may be able to execute arbitrary code with elevated privileges or cause a Denial of Service (DoS) condition on a Sun Cobalt system due to a security vulnerability in the sendmail(8) daemon involving signal handling.

This issue is referenced in the following documents:

CERT VU#834865 http://www.kb.cert.org/vuls/id/834865 which is referenced in CERT Technical Cyber Security Alert TA06-081A: http://www.us-cert.gov/cas/techalerts/TA06-081A.html

If a privileged application links to the libpkcs11(3LIB) library and utilizes the getpwnam(3C) family of non-reentrant functions to obtain password entries, then it may be possible for a local unprivileged user to execute arbitrary code with the privileges of the application depending on the way the application uses data provided by getpwnam(3C) and related functions. The application may also fail due to receiving unexpected data from one of the non-reentrant getpwnam(3C) functions.

A local or remote unprivileged user may be able to execute arbitrary code with elevated privileges or cause a Denial of Service (Dos) condition due to a security vulnerability in the sendmail(1M) daemon involving signal handling.

This issue is referenced in the following documents:

CVE-2006-0058 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058

CERT VU#834865 http://www.kb.cert.org/vuls/id/834865 which is referenced in CERT Technical Cyber Security Alert TA06-081A: http://www.us-cert.gov/cas/techalerts/TA06-081A.html

A security vulnerability in Sun Java Studio Enterprise 8 may allow a local unprivileged user the ability to execute arbitrary commands as a user who runs Sun Java Studio due to the creation of certain files with world-writable permissions when the product is installed by root.

Several vulnerabilities in the Apache 2.0 web server prior to version 2.0.55 may allow a local or remote unprivileged user to cause a Denial of Service (DoS) to the Apache 2 HTTP process, or may allow a local user who is able to write to directories served by the web server to execute arbitrary code with the privileges of the Apache 2 process. The Apache 2 HTTP process normally runs as the unprivileged user "webservd" (uid 80).

Additional vulnerabilities may prevent certain configured security features from being applied to specific HTTP transactions or to allow local unprivileged users to gain access to sensitive information.

These vulnerabilities are described at the following URLs:

The Change Log for Apache 2.0, at http://www.apache.org/dist/httpd/CHANGES_2.0

CAN-2005-2700: "does not properly enforce 'SSLVerifyClient require' " http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700

CAN-2005-2491: "overflow[...] in Perl Compatible Regular Expressions" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491

CAN-2005-2088: "HTTP Request Smuggling" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088

CAN-2005-2728: "denial of service" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2728

CAN-2005-1268: "Certificate Revocation List[...] buffer overflow" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1268

CAN-2004-0942: "denial of service" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942

CAN-2004-0885: "'SSLCipherSuite'[...] bypass intended restrictions" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885

CAN-2004-1834 "allow local users to gain sensitive information" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1834

Local unprivileged users may discover the Directory Server root Distinguished Name (rootDN) password if a privileged user uses the idsconfig(1M) command.

The rootDN password may also be observed if a privileged user runs any of the following LDAP commands insecurely:

• ldapadd(1)
• ldapdelete(1)
• ldapmodify(1)
• ldapmodrdn(1)
• ldapsearch(1)

The rootDN password may then be used to add, change delete and search records within the Directory Server.

Sun acknowledges, with thanks, Michael Gerdts for bringing these issues to our attention.

A security vulnerability in the Bourne shell may allow an unprivileged local user to cause sh(1) processes to crash while creating temporary files. This can lead to a Denial of Service (DoS) for scripts or for users (such as 'root') that use sh(1).