CVE-2005-2024
CVSS5.0
发布时间 :2005-06-17 00:00:00
修订时间 :2008-09-05 16:50:40
NMCOPS    

[原文]Vipul Razor Agents (razor-agents) before 2.70 allows remote attackers to cause a denial of service via (1) certain "unusual HTML messages" or (2) "certain malformed headers" such as Content-Type.


[CNNVD]Vipul Razor Agents 多个未知拒绝服务漏洞(CNNVD-200506-179)

        Vipul Razor Agents (razor-agents) 2.70之前的版本中,攻击者可借助:(1)某个"异常HTML消息",或(2)"某些畸形头",例如内容类型,来触发拒绝服务攻击。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:vipul:razor-agents:2.71
cpe:/a:vipul:razor-agents:2.72
cpe:/a:vipul:razor-agents:2.70

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2024
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2024
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200506-179
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/13984
(VENDOR_ADVISORY)  BID  13984
http://sourceforge.net/mailarchive/forum.php?thread_id=7520323&forum_id=4259
(VENDOR_ADVISORY)  CONFIRM  http://sourceforge.net/mailarchive/forum.php?thread_id=7520323&forum_id=4259
http://security.gentoo.org/glsa/glsa-200506-17.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200506-17
http://bugs.gentoo.org/show_bug.cgi?id=95492
(VENDOR_ADVISORY)  MISC  http://bugs.gentoo.org/show_bug.cgi?id=95492
http://www.novell.com/linux/security/advisories/2005_35_razor_agents.html
(UNKNOWN)  SUSE  SUSE-SA:2005:035
http://www.debian.org/security/2005/dsa-738
(UNKNOWN)  DEBIAN  DSA-738

- 漏洞信息

Vipul Razor Agents 多个未知拒绝服务漏洞
中危 其他
2005-06-17 00:00:00 2005-10-20 00:00:00
远程  
        Vipul Razor Agents (razor-agents) 2.70之前的版本中,攻击者可借助:(1)某个"异常HTML消息",或(2)"某些畸形头",例如内容类型,来触发拒绝服务攻击。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Vipul razor-agents 2.126
        SuSE razor-agents-2.126-122.i586.rpm
        SUSE Linux 8.2:
        ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/razor-agents-2.12 6-122.i586.rpm
        Vipul razor-agents 2.34
        SuSE razor-agents-2.34-54.i586.rpm
        SUSE Linux 9.0:
        ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/razor-agents-2.34 -54.i586.rpm
        SuSE razor-agents-2.34-54.x86_64.rpm
        SUSE Linux 9.0:
        ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/razor-agents- 2.34-54.x86_64.rpm
        Vipul razor-agents 2.36
        SuSE razor-agents-2.36-59.4.i586.rpm
        SUSE Linux 9.1:
        ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/razor-agents-2.36 -59.4.i586.rpm
        SuSE razor-agents-2.36-59.4.x86_64.rpm
        SUSE Linux 9.1:
        ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/razor-agents- 2.36-59.4.x86_64.rpm
        Vipul razor-agents 2.61
        SuSE razor-agents-2.61-3.2.i586.rpm
        SUSE Linux 9.2:
        ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/razor-agents-2.61 -3.2.i586.rpm
        SuSE razor-agents-2.61-3.2.x86_64.rpm
        SUSE Linux 9.2:
        ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/razor-agents-2. 61-3.2.x86_64.rpm
        Vipul razor-agents 2.67
        Debian razor_2.670-1sarge2_alpha.deb
        Debian 3.1 (sarge)
        http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarg e2_alpha.deb
        Debian razor_2.670-1sarge2_amd64.deb
        Debian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarg e2_amd64.deb
        Debian razor_2.670-1sarge2_arm.deb
        Debian 3.1 (sarge)
        http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarg e2_arm.deb
        Debian razor_2.670-1sarge2_hppa.deb
        Debian 3.1 (sarge)
        http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarg e2_hppa.deb
        Debian razor_2.670-1sarge2_i386.deb
        Debian 3.1 (sarge)
        http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarg e2_i386.deb
        Debian razor_2.670-1sarge2_ia64.deb
        Debian 3.1 (sarge)
        http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarg e2_ia64.deb
        Debian razor_2.670-1sarge2_m68k.deb
        Debian 3.1 (sarge)
        http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarg e2_m68k.deb
        Debian razor_2.670-1sarge2_mips.deb
        Debian 3.1 (sarge)
        http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarg e2_mips.deb
        Debian razor_2.670-1sarge2_mipsel.deb
        Debian 3.1 (sarge)
        http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarg e2_mipsel.deb
        Debian razor_2.670-1sarge2_powerpc.deb
        Debian 3.1 (sarge)
        http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarg e2_powerpc.deb
        Debian razor_2.670-1sarge2_s390.deb
        Debian 3.1 (sarge)
        http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarg e2_s390.deb
        Debian razor_2.670-1sarge2_sparc.deb
        Debian 3.1 (sarge)
        http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarg e2_sparc.deb
        SuSE razor-agents-2.67-3.2.i586.rpm
        SUSE Linux 9.3:
        ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/razor-agents-2.67 -3.2.i586.rpm
        SuSE razor-agents-2.67-3.2.x86_64.rpm
        SUSE Linux 9.3:
        ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/razor-agents-2. 67-3.2.x86_64.rpm
        Vipul razor-agents 2.70
        Vipul razor-agents-2.72.tar.gz
        http://prdownloads.sourceforge.net/razor/razor-agents-2.72.tar.gz?down load
        Vipul razor-agents-2.74.tar.bz2
        http://prdownloads.sourceforge.net/razor/razor-agents-2.74.tar.bz2?dow nload
        Vipul razor-agents 2.71
        Vipul razor-agents-2.72.tar.gz
        http://prdownloads.sourceforge.net/razor/razor-agents-2.72.tar.gz?down load
        Vipul razor-agents-2.74.tar.bz2
        http://prdownloads.sourceforge.net/razor/razor-agents-2.74.tar.bz2?dow nload
        Vipul razor-agents 2.72
        Vipul razor-agents-2.74.tar.bz2
        http://prdownloads.sourceforge.net/razor/razor-agents-2.74.tar.bz2?dow nload

- 漏洞信息 (F38509)

Debian Linux Security Advisory 738-1 (PacketStormID:F38509)
2005-07-07 00:00:00
Debian  security.debian.org
advisory,denial of service
linux,debian
CVE-2005-2024
[点击下载]

Debian Security Advisory DSA 738-1 - A vulnerability was discovered in the way that Razor parses certain email headers that could potentially be used to crash the Razor program, causing a denial of service (DOS).

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA 738-1                   security@debian.org
http://www.debian.org/security/                            Michael Stone
July 05, 2005                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : razor
Vulnerability  : email header parsing error
Problem type   : remote DOS
Debian-specific: no
CVE Id(s)      : CAN-2005-2024

A vulnerability was discovered in the way that Razor parses certain
email headers that could potentially be used to crash the Razor program,
causing a denial of service (DOS). 

For the stable distribution (sarge), this problem has been fixed in
version 2.670-1sarge2. 

The old stable distribution (woody) is not affected by this issue.

We recommend that you upgrade your razor package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 3.1 (sarge)
- ------------------

  sarge was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2.dsc
      Size/MD5 checksum:      799 88b6def693d8e884f636acf9337344f1
    http://security.debian.org/pool/updates/main/r/razor/razor_2.670.orig.tar.gz
      Size/MD5 checksum:    86705 0118b6030ea261ea85e73a55cc7eac8e
    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2.diff.gz
      Size/MD5 checksum:    10699 ed53476451c87dbf876697e198083973

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2_alpha.deb
      Size/MD5 checksum:   117030 ab3c6043749da7b66aa468f8fec794a7

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2_arm.deb
      Size/MD5 checksum:   115572 01ee173b14d45f1f576dd3b4db6ba3e8

  hppa architecture (HP PA RISC)

    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2_hppa.deb
      Size/MD5 checksum:   117146 82889def9ab647e075cedf658a2e7707

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2_i386.deb
      Size/MD5 checksum:   116070 9171153ba7bf5c0c679c14a8303d777d

  ia64 architecture (Intel ia64)

    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2_ia64.deb
      Size/MD5 checksum:   118378 d1ed58ed88d490cad82b8cde72745b6d

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2_m68k.deb
      Size/MD5 checksum:   115938 6a620f25c1895e3ac80ba94c57931874

  mips architecture (MIPS (Big Endian))

    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2_mips.deb
      Size/MD5 checksum:   114962 3a771fb3bc2b88b6606121541f4e1c80

  mipsel architecture (MIPS (Little Endian))

    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2_mipsel.deb
      Size/MD5 checksum:   114978 3c6f16f40f9820e4624c277969c85947

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2_powerpc.deb
      Size/MD5 checksum:   117502 2860b774a37ed2eaae9efd365e05ceaf

  s390 architecture (IBM S/390)

    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2_s390.deb
      Size/MD5 checksum:   115738 02789063e04d63a1eea5f2bf88745c5f

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/r/razor/razor_2.670-1sarge2_sparc.deb
      Size/MD5 checksum:   115848 8a264ab5802cf6764db4354facdd4ea0

- -------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQCVAwUBQssaww0hVr09l8FJAQLITQQAt/NH07I1T/m5pFrtuvOFnJ96f6Kg1flm
VHJHSQpdgh/NlJL8wHiTVpPDwmdAMooq31cxXoJxYM0G6A8oP1dvM+5KQXNwPMHJ
Ifr4uuEUI7dcENaNoQ/HsItdCzk/0KuIRrCY1xth3fwRdjV4OBu2g9QVAdJe8f94
vgT/fi+GSxA=
=y/KI
-----END PGP SIGNATURE-----

    

- 漏洞信息

17390
Vipul's Razor-agents Crafted HTML Pre-processing DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public Vendor Verified

- 漏洞描述

Vipul's Razor-agents contains a flaw that may allow a remote denial of service. The issue is triggered when certain unspecified malformed HTML emails are processed, and will result in loss of availability for the service.

- 时间线

2005-05-12 2004-08-01
2005-05-12 Unknow

- 解决方案

Upgrade to version 2.70 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Vipul Razor-agents Multiple Unspecified Denial Of Service Vulnerabilities
Failure to Handle Exceptional Conditions 13984
Yes No
2005-06-17 12:00:00 2007-03-06 08:15:00
Discovery of these issues is credited to Martin Blapp and Nick Leverton.

- 受影响的程序版本

Vipul razor-agents 2.126
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
Vipul razor-agents 2.72
Vipul razor-agents 2.71
Vipul razor-agents 2.70
Vipul razor-agents 2.67
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
Vipul razor-agents 2.61
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
Vipul razor-agents 2.36
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
Vipul razor-agents 2.34
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
Trustix Secure Linux 2.2
Trustix Secure Linux 2.1
Trustix Secure Enterprise Linux 2.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
Gentoo Linux
Vipul razor-agents 2.74
Vipul razor-agents 2.72

- 不受影响的程序版本

Vipul razor-agents 2.74
Vipul razor-agents 2.72

- 漏洞讨论

Vipul Razor-agents is prone to multiple unspecified denial-of-service vulnerabilities:

- An issue resides in the discovery logic of Razor-agents.
- Another issue resides in the preprocessing code of Razor-agents.

Attackers may exploit both issues to cause a denial of service for the vulnerable application.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.

- 解决方案

The vendor has addressed these issues. Please see the references for details.


Vipul razor-agents 2.126

Vipul razor-agents 2.34

Vipul razor-agents 2.36

Vipul razor-agents 2.61

Vipul razor-agents 2.67

Vipul razor-agents 2.70

Vipul razor-agents 2.71

Vipul razor-agents 2.72

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站