Showing all newswire headlines

View by date, instead?

« Previous ( 1 ... 5433 5434 5435 5436 5437 5438 5439 5440 5441 5442 5443 ... 5468 ) Next »

Debian alert: buffer overflow in xpilot-server

  • Mailing list (Posted by dave on Apr 16, 2002 3:05 PM EDT)
  • Story Type: Security; Groups: Debian
An internal audit by the xpilot (a multi-player tactical manoeuvring game for X) maintainers revealed a buffer overflow in xpilot server. This overflow can be abused by remote attackers to gain access to the server under which the xpilot server is running.

Mandrake alert: squid update

Error and boundary conditions were not checked when handling compressed DNS answer messages in the internal DNS code (lib/rfc1035.c). A malicous DNS server could craft a DNS reply that causes Squid to exit with a SIGSEGV.

Debian alert: Horde and IMP cross-site scripting attack

  • Mailing list (Posted by dave on Apr 16, 2002 7:34 AM EDT)
  • Story Type: Security; Groups: Debian
A cross-site scripting (CSS) problem was discovered in Horde and IMP (a web based IMAP mail package). This was fixed upstream in Horde version 1.2.8 and IMP version 2.2.8. The relevant patches have been back-ported to version 1.2.6-0.potato.5 of the horde package and version 2.2.6-0.potato.5 of the imp package.

Mandrake alert: libsafe update

Wojciech Purczynski discovered that format string protection in libsafe can be easily bypassed by using flag characters that are implemented in glibc but are not implemented in libsafe. It was also discovered that *printf function wrappers incorrectly parse argument indexing in format strings, making some incorrect assumptions on the number of arguments and conversion specifications. These problems were fixed by the libsafe authors in 2.0-12.

Red Hat alert: Updated tcpdump packages available for Red Hat Linux 6.2 and 7.x

  • Mailing list (Posted by dave on Apr 9, 2002 10:33 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated tcpdump, libpcap, and arpwatch packages are available for Red Hat Linux 6.2 and 7.x. These updates close vulnerabilities present in versions of tcpdump up to 3.5.1 and various other bugs.

Red Hat alert: Updated tcpdump packages available for Red Hat Linux 6.2 and 7.x

  • Mailing list (Posted by dave on Apr 9, 2002 10:33 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated tcpdump, libpcap, and arpwatch packages are available for Red Hat Linux 6.2 and 7.x. These updates close vulnerabilities present in versions of tcpdump up to 3.5.1 and various other bugs.

SuSE alert: ucdsnmp

  • Mailing list (Posted by dave on Apr 8, 2002 8:10 AM EDT)
  • Story Type: Security; Groups: SUSE
The Secure Programming Group of the Oulu University, Sweden released a testing suite for SNMP implementations. Several bugs could be triggered in the ucd-snmpd code by using this testing suite. These bugs lead to remote denial-of-service attacks and may possibly exploited to break system security remotely. Additionally, the SuSE Security Team did a full audit of the ucd-snmpd code and we hope to avoid more problems caused by other bugs in the future.

Red Hat alert: Race conditions in logwatch

  • Mailing list (Posted by dave on Apr 4, 2002 1:34 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated LogWatch packages are available that fix tmp file race conditions which can cause a local user to gain root privileges.

Red Hat alert: Race conditions in logwatch

  • Mailing list (Posted by dave on Apr 4, 2002 1:32 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated LogWatch packages are available that fix tmp file race conditions which can cause a local user to gain root privileges.

Debian alert: New analog packages fix cross-site scripting vulnerability

  • Mailing list (Posted by dave on Mar 27, 2002 11:47 PM EDT)
  • Story Type: Security; Groups: Debian
Yuji Takahashi discovered a bug in analog which allows a cross-site scripting type attack. It is easy for an attacker to insert arbitrary strings into any web server logfile. If these strings are then analysed by analog, they can appear in the report. By this means an attacker can introduce arbitrary Javascript code, for example, into an analog report produced by someone else and read by a third person. Analog already attempted to encode unsafe characters to avoid this type of attack, but the conversion was incomplete.

Debian alert: New mtr packages fix buffer overflow

  • Mailing list (Posted by dave on Mar 26, 2002 12:18 AM EDT)
  • Story Type: Security; Groups: Debian
The authors of mtr released a new upstream version, noting a non-exploitable buffer overflow in their ChangeLog. Przemyslaw Frasunek, however, found an easy way to exploit this bug, which allows an attacker to gain access to the raw socket, which makes IP spoofing and other malicious network activity possible.

Red Hat alert: Vulnerability in zlib library

  • Mailing list (Posted by dave on Mar 22, 2002 7:28 AM EDT)
  • Story Type: Security; Groups: Red Hat
[Update 20 Mar 2002: Added kernel packages for Red Hat Linux 6.2 on sparc64. Updated VNC packages as the previous fix caused another denial of service vulnerability; thanks to Const Kaplinsky for reporting this] [Update 14 Mar 2002: Updated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing the zlib fix; added missing kernel-headers package for 6.

Red Hat alert: Updated PHP packages are available [updated 2002-Mar-11]

  • Mailing list (Posted by dave on Mar 22, 2002 7:23 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated PHP packages are available to fix vulnerabilities in the functions that parse multipart MIME data, which are used when uploading files through forms. This revised advisory contains updated packages for Red Hat Linux 7, 7.1, and 7.

Red Hat alert: New imlib packages available

  • Mailing list (Posted by dave on Mar 21, 2002 8:10 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated imlib packages are now available for Red Hat Linux 6.2, 7, 7.1 and 7.2 which fix potential problems loading untrusted images.

Mandrake alert: fix for insecure default kdm configuration

A problem was discovered with the default configuration of the kdm display manager in Mandrake Linux.

Debian alert: listar buffer overflow

  • Mailing list (Posted by dave on Mar 19, 2002 6:07 AM EDT)
  • Story Type: Security; Groups: Debian
Janusz Niewiadomski and Wojciech Purczynski reported a buffer overflow in the address_match of listar (a listserv style mailing-list manager).

Red Hat alert: Vulnerability in zlib library

  • Mailing list (Posted by dave on Mar 18, 2002 6:18 AM EDT)
  • Story Type: Security; Groups: Red Hat
[Update 14 Mar 2002: Updated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing the zlib fix; added missing kernel-headers package for 6.

Red Hat alert: Updated cups packages are available

  • Mailing list (Posted by dave on Mar 15, 2002 3:38 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated cups packages which fix a security problem are available.

Mandrake alert: rsync update

Ethan Benson discovered a bug in rsync where the supplementary groups that the rsync daemon runs as (such as root) would not be removed from the server process after changing to the specified unprivileged uid and gid. This seems only serious if rsync is called using "rsync --daemon" from the command line where it will inherit the group of the user starting the server (usually root). Note that, by default, Mandrake Linux uses xinetd to handle connections to the rsync daemon. This was fixed upstream in version 2.5.3, as well as the previously noted zlib fixes (see MDKSA-2002:023). The authors released 2.5.4 with some additional zlib fixes, and all users are encouraged to upgrade to this new version of rsync.

Mandrake alert: packages containing zlib update

Matthias Clasen found a security issue in zlib that, when provided with certain input, causes zlib to free an area of memory twice.

« Previous ( 1 ... 5433 5434 5435 5436 5437 5438 5439 5440 5441 5442 5443 ... 5468 ) Next »