RHEL 2.1 : cadaver (RHSA-2004:191)

high Nessus Plugin ID 12496

Synopsis

The remote Red Hat host is missing a security update.

Description

An updated cadaver package is now available that fixes a vulnerability in neon which could be exploitable by a malicious DAV server.

cadaver is a command-line WebDAV client that uses inbuilt code from neon, an HTTP and WebDAV client library.

Stefan Esser discovered a flaw in the neon library which allows a heap buffer overflow in a date parsing routine. An attacker could create a malicious WebDAV server in such a way as to allow arbitrary code execution on the client should a user connect to it using cadaver. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0398 to this issue.

Users of cadaver are advised to upgrade to this updated package, which contains a patch correcting this issue.

This issue does not affect Red Hat Enterprise Linux 3.

Solution

Update the affected cadaver package.

See Also

https://access.redhat.com/security/cve/cve-2004-0398

http://www.nessus.org/u?51e8cba5

https://access.redhat.com/errata/RHSA-2004:191

Plugin Details

Severity: High

ID: 12496

File Name: redhat-RHSA-2004-191.nasl

Version: 1.30

Type: local

Agent: unix

Published: 7/6/2004

Updated: 1/14/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:redhat:enterprise_linux:2.1, p-cpe:/a:redhat:enterprise_linux:cadaver

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 5/19/2004

Vulnerability Publication Date: 7/7/2004

Reference Information

CVE: CVE-2004-0398

RHSA: 2004:191