Showing all newswire headlines

View by date, instead?

« Previous ( 1 ... 5457 5458 5459 5460 5461 5462 5463 5464 5465 ... 5466 ) Next »

Debian alert: Debian esound packages not affected by /tmp/.esd race condition

  • Mailing list (Posted by dave on Oct 9, 2000 10:55 AM EDT)
  • Story Type: Security; Groups: Debian
Linux-Mandrake has recently released a Security Advisory (MDKSA-2000:051) covering a race condition in the esound. Debian is not affected by this bug; the bug is specific to the unix domain socket support, which was turned off in stable (2.2/potato) and unstable (woody) on February 16, 2000. Therefore neither the current stable or unstable distribution of Debian is vulnerable to this problem. Debian 2.1 (aka "slink") is also not vulnerable to this problem; the version of esound in Debian 2.1 is 0.2.6, which predates the buggy unix domain socket code.

Red Hat alert: Updated usermode packages available

  • Mailing list (Posted by dave on Oct 9, 2000 10:23 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated usermode packages are now available for Red Hat Linux 6.x and 7.

Red Hat alert: tmpwatch has a local denial of service and root exploit

  • Mailing list (Posted by dave on Oct 6, 2000 2:01 PM EDT)
  • Story Type: Security; Groups: Red Hat
tmpwatch as shipped in Red Hat Linux 6.1, 6.2, and 7.0 uses fork() to recursively process subdirectories, enabling a local user to perform a denial of service attack. Tmpwatch from Red Hat Linux 6.2 and 7.0 also contains an option to allow it to use the fuser command to check for open files before removal. It executed fuser in an insecure fashion, allowing a local root exploit.

Red Hat alert: traceroute setuid root exploit with multiple -g options

  • Mailing list (Posted by dave on Oct 6, 2000 1:21 PM EDT)
  • Story Type: Security; Groups: Red Hat
a root exploit and several additional bugs in traceroute have been corrected.

Red Hat alert: esound contains a race condition

  • Mailing list (Posted by dave on Oct 6, 2000 1:13 PM EDT)
  • Story Type: Security; Groups: Red Hat
Esound, the Gnome sound server, contains a race condition that a malicious user could exploit to change permissions of any file owned by the esound user.

Red Hat alert: lpr has a format string security bug, LPRng compat issues, and a race cond.

  • Mailing list (Posted by dave on Oct 4, 2000 1:52 PM EDT)
  • Story Type: Security; Groups: Red Hat
lpr has a format string security bug. It also mishandles any extension to the lpd communication protocol, and assumes that the instructions contained in the extension are a file it should try to print. It also has a race condition in the handling of queue interactions that can cause the queue to wedge. Note: Packages indicated in revision -03 and earlier were not signed with the Red Hat GPG key. This has been corrected.

Red Hat alert: lpr has a format string security bug, LPRng compat issues, and a race cond.

  • Mailing list (Posted by dave on Oct 4, 2000 9:01 AM EDT)
  • Story Type: Security; Groups: Red Hat
lpr has a format string security bug. It also mishandles any extension to the lpd communication protocol, and assumes that the instructions contained in the extension are a file it should try to print. It also has a race condition in the handling of queue interactions that can cause the queue to wedge.

Red Hat alert: LPRng contains a critical string format bug

  • Mailing list (Posted by dave on Oct 4, 2000 8:04 AM EDT)
  • Story Type: Security; Groups: Red Hat
LPRng has a string format bug in the use_syslog function which could lead to root compromise.

Slackware alert: wuftpd vulnerability - Slackware 4.0, 7.0, 7.1, -current

A vulnerability involving an input validation error in the "site exec" command has recently been identified in the wu-ftpd program (CERT Advisory CA-2000-13).

SuSE alert: Crypto packages for 7.0

  • Mailing list (Posted by dave on Sep 25, 2000 4:18 PM EDT)
  • Story Type: Security; Groups: SUSE
Many customers have asked to publish the packages of the SuSE-7.0 distribution that are not included in the US version due to US crypto regulations.

Debian alert: Security policy for Debian 2.1 (slink) (updated)

  • Mailing list (Posted by dave on Sep 21, 2000 4:18 AM EDT)
  • Story Type: Security; Groups: Debian
We value your input during this transitional phase. Please direct your comments to feedback@security.debian.org

Red Hat alert: glint symlink vulnerability

  • Mailing list (Posted by dave on Sep 20, 2000 6:13 PM EDT)
  • Story Type: Security; Groups: Red Hat
glint blindly follows a symlink in /tmp, overwriting the target file, so it can conceivably be used to destroy any file on the system.

SuSE alert: syslogd/klogd

  • Mailing list (Posted by dave on Sep 19, 2000 5:07 PM EDT)
  • Story Type: Security; Groups: SUSE
The syslogd package consists of two daemons that are being launched upon system startup: klogd and syslogd. The former collects kernel messages and passes them on to the syslog(3) facility. syslogd will pick up the logging messages and write them to the logfiles as specified by the syslogd configuration file /etc/syslog.conf. Errors in both the klogd and the syslogd can cause both daemons do die when specially designed strings get passed to the kernel by the user, eg. with a malformed structure in a system call. These errors have been discovered by Jouko Pynnönen, Solar Designer, a fix for one of the bugs has been provided by Daniel Jacobowitz.

Debian alert: New versions of sysklogd released

  • Mailing list (Posted by dave on Sep 19, 2000 9:31 AM EDT)
  • Story Type: Security; Groups: Debian
Multiple vulnerabilities have been reported in syslogd and klogd. A local root exploit is possible, and remote exploits may be possible in some cases (though we are not currently aware of a remote exploit.)

Slackware alert: klogd Kernel Logger vulnerability and fix

A string format / buffer overflow bug has been discovered in klogd, the kernel logging daemon. Please upgrade to the new sysklogd 1.4 package available on the Slackware FTP site.

Red Hat alert: syslog format vulnerability in klogd

  • Mailing list (Posted by dave on Sep 18, 2000 11:42 AM EDT)
  • Story Type: Security; Groups: Red Hat
Various vulnerabilities exist in syslogd/klogd. By exploiting these vulnerabilities, it could be possible for local users to gain root access. No remote exploit exists at this time, but it remains theoretically possible that this vulnerability could be exploited remotely under certain rare circumstances. All users should upgrade to the new sysklogd packages. Users of Red Hat Linux 6.0 and 6.1 should use the packages for Red Hat Linux 6.

Debian alert: Security update policy for Debian 2.1 (slink)

  • Mailing list (Posted by dave on Sep 14, 2000 2:40 PM EDT)
  • Story Type: Security; Groups: Debian
We would appreciate hearing whether we have allowed enough time for the slink->potato transition. Please direct your comments to feedback@security.debian.org

Red Hat alert: Format string exploit in screen

  • Mailing list (Posted by dave on Sep 14, 2000 10:20 AM EDT)
  • Story Type: Security; Groups: Red Hat
Security hole in screen in Red Hat Linux 5.2 and earlier releases

Slackware alert: xchat input validation bug fixed

An input validation bug was found to affect Slackware Linux 7.0, 7.1, and -current.

Red Hat alert: xpdf bugfix release

  • Mailing list (Posted by dave on Sep 13, 2000 2:57 PM EDT)
  • Story Type: Security; Groups: Red Hat
Security problem in temporary file and malicious URL.

« Previous ( 1 ... 5457 5458 5459 5460 5461 5462 5463 5464 5465 ... 5466 ) Next »