If a patch or package is installed which contains a pkgmap(4) with a "?" for the mode field of a file or directory onto a Solaris 10 system, pkgadd(1M) may incorrectly set the permissions of the corresponding file or directory to either 755 or 777. The permissions of 777 are a security risk since when applied to a file any user is then able to modify that file and when applied to a directory all files within that directory can modified by any user.

The expected behavior is:

1. Default permissions (644 for files, and 755 for directories) when the file is not present in the system.
2. Existing file permissions unchanged, if the file already exists.

A security vulnerability in the Sun Java System Content Delivery Server may allow a local or remote unprivileged user to read data from any file on the system.

Due to a security vulnerability in the format(1M) command, it may be possible for a user who has been granted the "File System Management" RBAC profile (or any custom profile which would allow the user to run the format(1M) command with root privileges) to execute arbitrary code with the privileges of the root user.

A security vulnerability in the default Role-Based Access Control (RBAC, see rbac(5)) configuration associated with the "File System Management" profile may allow a local user who has been assigned that profile to execute arbitrary commands with the privileges of the "root" user.

In addition, a security vulnerability in the format(1M) command may allow a local user who has been granted the "File System Management" RBAC profile (or any custom profile which would allow the user to run the format(1M) command with "root" privileges) to write to the device files associated with local disks with the privileges of the root user.

On hosts where sendmail(1M) is configured to accept incoming mail, a local or remote unprivileged user may be able to prevent sendmail from successfully delivering queued messages, resulting in a Denial of Service (DoS) of the sendmail delivery mechanism.

On hosts which do not accept remote incoming mail, but make use of sendmail(1M) to deliver messages to other hosts and users, a local unprivileged user may be able to prevent sendmail from delivering queued messages, again resulting in a Denial of Service (DoS) of the sendmail delivery mechanism.

If either of the two issues above are exploited, an additional Denial of Service (DoS) to the system may occur if sendmail(1M) is configured to write unique core files to disk and to attempt to flush the delivery queue regularly. Each attempt to flush the delivery queue will result in a new core file being written to disk, eventually consuming all available space.

This issue is referenced in the following documents:

CVE-2006-1173 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1173

CERT VU#146718 at http://www.kb.cert.org/vuls/id/146718

The Java Plug-in and Java Web Start both allow applets and applications to specify the version of the Java Runtime Environment (JRE) to run with. However, the versions of Java Web Start and the Java Plug-in listed in Section 2 below may allow applets or applications to run with a specified version of the JRE that does not have the latest security fixes.

1. A vulnerability in the Apache 1.3 web server bundled with Solaris 8 and 9 may allow a local user who is able to create SSI documents which are served by Apache to execute arbitrary code with the privileges of the Apache 1.3 process. The Apache HTTP process normally runs as the unprivileged user "nobody" (uid 60001).

2. A second vulnerability affects the Apache 1.3 web server bundled with Solaris 10 which may prevent certain configured security features from being applied to specific HTTP transactions when Apache is configured to use SSL.

3. A third vulnerability in the Apache 1.3 web server may allow local or remote unprivileged users to bypass security protections associated with some network transactions, corrupt information stored in a web cache, or perform cross site scripting activities when the Apache web server is configured to run as a proxy.

These vulnerabilities are described at the following URLs:

The Change Log for Apache 1.3 at http://www.apache.org/dist/httpd/CHANGES_1.3

CAN-2004-0940: "allows local users[...] to execute arbitrary code" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940

CAN-2005-2700: "does not properly enforce 'SSLVerifyClient require' " http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2700

CAN-2005-2088: "HTTP Request Smuggling" http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2088

The crypto provider in Solaris 10 3/05 HW2 when running on Sun Fire T2000 platforms might incorrectly verify a DSA signature. Applications which depend on the results of this DSA signature verification might be vulnerable to trusting data which could have been tampered with.