Showing headlines posted by dave

« Previous ( 1 ... 583 584 585 586 587 588 589 590 591 592 593 ... 595 ) Next »

Red Hat alert: Updated openssh packages available for Red Hat Linux 7

  • Mailing list (Posted by dave on Nov 27, 2000 10:50 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated openssh packages are now available for Red Hat Linux 7. 2000-11-27: Added packages for Red Hat Linux 7 for Alpha

Red Hat alert: Updated joe packages are available for Red Hat Linux 5.2, 6.x and 7

  • Mailing list (Posted by dave on Nov 27, 2000 10:50 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated joe packages are available for Red Hat Linux 5.2, 6.x and 7.

Red Hat alert: Updated pine and imap packages are available for Red Hat Linux 5.2, 6.x and 7

  • Mailing list (Posted by dave on Nov 27, 2000 10:49 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated pine and imap packages are available for Red Hat Linux 5.2, 6.x and 7. 2000-11-27: Added packages for Red Hat Linux 7 for Alpha

Red Hat alert: new modutils release addresses more local root compromise possibilities

  • Mailing list (Posted by dave on Nov 27, 2000 10:49 AM EDT)
  • Story Type: Security; Groups: Red Hat
A new modutils-

Red Hat alert: ghostscript uses mktemp instead of mkstemp, and uses an improper LD_RUN_PATH

  • Mailing list (Posted by dave on Nov 27, 2000 10:47 AM EDT)
  • Story Type: Security; Groups: Red Hat
ghostscript makes use of mktemp instead of mkstemp to create temp files; and also uses improper LD_RUN_PATH values, causing it to search for libraries in the current directory. 2000-11-27: Added packages for Red Hat Linux 7 for Alpha

Red Hat alert: New ncurses packages fixing buffer overrun available

  • Mailing list (Posted by dave on Nov 27, 2000 10:46 AM EDT)
  • Story Type: Security; Groups: Red Hat
If you are any setuid applications that use ncurses and its cursor movement functionality, local users may gain access to the program's privileges. 2000-11-27: Added packages for Red Hat Linux 7 for Alpha

Red Hat alert: Updated bash (1.x) packages for Red Hat Linux 5.x, 6.x available

  • Mailing list (Posted by dave on Nov 27, 2000 10:11 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated bash (1.x) packages for Red Hat Linux 5.x and 6.x, fixing a security problem, are available.

Red Hat alert: New Netscape packages available

  • Mailing list (Posted by dave on Nov 27, 2000 7:18 AM EDT)
  • Story Type: Security; Groups: Red Hat
New Netscape packages are available that fix a buffer overflow in parsing HTML. It is recommended that all Netscape users update to the fixed packages. 2000-11-27: Added packages for Red Hat Linux 7 for Alpha

Debian alert: New version of mc released

  • Mailing list (Posted by dave on Nov 24, 2000 4:42 PM EDT)
  • Story Type: Security; Groups: Debian
Maurycy Prodeus found a problem in cons.saver, a screensaver for the console that is included in the mc package. cons.saver does not check if it is started with a valid stdout, which combined with a bug in its check to see if its argument is a tty (it forgot to close the file-descriptor after opening the supposed tty) causes it to write a NUL character to the file given as its parameter.

SuSE alert: openssh/ssh

  • Mailing list (Posted by dave on Nov 24, 2000 6:51 AM EDT)
  • Story Type: Security; Groups: SUSE
openssh is an implementation of the secure shell protocol, available under the BSD license, primarily maintained by the OpenBSD Project.

Red Hat alert: New ncurses packages fixing buffer overrun available

  • Mailing list (Posted by dave on Nov 23, 2000 7:28 AM EDT)
  • Story Type: Security; Groups: Red Hat
If you are any setuid applications that use ncurses and its cursor movement functionality, local users may gain access to the program's privileges.

Debian alert: New version of ghostscript released

  • Mailing list (Posted by dave on Nov 22, 2000 4:33 PM EDT)
  • Story Type: Security; Groups: Debian
ghostscript uses temporary files to do some of its work. Unfortunately the method used to create those files wasn't secure: mktemp was used to create a name for a temporary file, but the file was not opened safely. A second problem is that during build the LD_RUN_PATH environment variable was set to the empty string, which causes the dynamic linker to look in the current directory for shared libraries.

Red Hat alert: new modutils release addresses more local root compromise possibilities

  • Mailing list (Posted by dave on Nov 22, 2000 3:50 PM EDT)
  • Story Type: Security; Groups: Red Hat
A new modutils-

Red Hat alert: ghostscript uses mktemp instead of mkstemp, and uses an improper LD_RUN_PATH

  • Mailing list (Posted by dave on Nov 22, 2000 12:59 PM EDT)
  • Story Type: Security; Groups: Red Hat
ghostscript makes use of mktemp instead of mkstemp to create temp files; and also uses improper LD_RUN_PATH values, causing it to search for libraries in the current directory.

Debian alert: New version of modutils released

  • Mailing list (Posted by dave on Nov 22, 2000 12:07 PM EDT)
  • Story Type: Security; Groups: Debian
Sebastian Krahmer raised an issue in modutils. In an ideal world modprobe should trust the kernel to only pass valid parameters to modprobe. However he has found at least one local root exploit because high level kernel code passed unverified parameters direct from the user to modprobe. So modprobe no longer trusts kernel input and switches to a safemode.

Debian alert: No koules vulnerability

  • Mailing list (Posted by dave on Nov 22, 2000 12:06 PM EDT)
  • Story Type: Security; Groups: Debian
Guido Bakker has reported a local root vulnerability that can result in local users gaining root permission on a host running koules.sndsrv.linux using a buffer overflow.

Debian alert: New version of elvis-tiny released

  • Mailing list (Posted by dave on Nov 22, 2000 11:53 AM EDT)
  • Story Type: Security; Groups: Debian
Topi Miettinen audited elvis-tiny and raised an issue covering the use and creation of temporary files. Those files are created with a predictable pattern and O_EXCL flag is not used when opening. This makes users of elvis-tiny vulnerable to race conditions and/or data lossage.

Debian alert: New Debian xmcd packages released

  • Mailing list (Posted by dave on Nov 22, 2000 8:31 AM EDT)
  • Story Type: Security; Groups: Debian
The Debian GNU/Linux xmcd package has historically installed two setuid helpers for accessing cddb databases and SCSI cdrom drives. More recently, the package offered the administrator the chance to remove these setuid flags, but did so incorrectly.

Debian alert: New Debian ncurses packages released

  • Mailing list (Posted by dave on Nov 22, 2000 7:43 AM EDT)
  • Story Type: Security; Groups: Debian
The version of the ncurses display library shipped with Debian GNU/Linux 2.2 is vulnerable to several buffer overflows in the parsing of terminfo database files. This problem was discovered by Jouko Pynnönen <jouko@solutions.fi>. The problems are only exploitable in the presence of setuid binaries linked to ncurses which use these particular functions, including xmcd versions before 2.5pl1-7.1.

Debian alert: New version of ethereal released

  • Mailing list (Posted by dave on Nov 21, 2000 5:38 PM EDT)
  • Story Type: Security; Groups: Debian
hacksware reported a buffer overflow in the AFS packet parsing code in ethereal. Gerald Combs then found more overflows in the netbios and ntp decoding logic as well. An attacker can exploit those overflows by sending carefully crafted packets to a network that is being monitored by ethereal.

« Previous ( 1 ... 583 584 585 586 587 588 589 590 591 592 593 ... 595 ) Next »