Showing all newswire headlines
View by date, instead?« Previous ( 1 ... 7222 7223 7224 7225 7226 7227 7228 7229 7230 7231 7232 ... 7257 ) Next »
Debian alert: New analog packages fix cross-site scripting vulnerability
Yuji Takahashi discovered a bug in analog which allows a cross-site
scripting type attack. It is easy for an attacker to insert arbitrary
strings into any web server logfile. If these strings are then
analysed by analog, they can appear in the report. By this means an
attacker can introduce arbitrary Javascript code, for example, into an
analog report produced by someone else and read by a third person.
Analog already attempted to encode unsafe characters to avoid this
type of attack, but the conversion was incomplete.
Debian alert: New mtr packages fix buffer overflow
The authors of mtr released a new upstream version, noting a
non-exploitable buffer overflow in their ChangeLog. Przemyslaw
Frasunek, however, found an easy way to exploit this bug, which allows
an attacker to gain access to the raw socket, which makes IP spoofing
and other malicious network activity possible.
Red Hat alert: Vulnerability in zlib library
[Update 20 Mar 2002:
Added kernel packages for Red Hat Linux 6.2 on sparc64. Updated VNC
packages as the previous fix caused another denial of service
vulnerability; thanks to Const Kaplinsky for reporting this]
[Update 14 Mar 2002:
Updated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing
the zlib fix; added missing kernel-headers package for 6.
Red Hat alert: Updated PHP packages are available [updated 2002-Mar-11]
Updated PHP packages are available to fix vulnerabilities in the functions
that parse multipart MIME data, which are used when uploading files
through forms.
This revised advisory contains updated packages for Red Hat Linux 7, 7.1,
and 7.
Red Hat alert: New imlib packages available
Updated imlib packages are now available for Red Hat Linux 6.2, 7,
7.1 and 7.2 which fix potential problems loading untrusted images.
Mandrake alert: fix for insecure default kdm configuration
A problem was discovered with the default configuration of the kdm display manager in Mandrake Linux.
Debian alert: listar buffer overflow
Janusz Niewiadomski and Wojciech Purczynski reported a buffer overflow
in the address_match of listar (a listserv style mailing-list manager).
Red Hat alert: Vulnerability in zlib library
[Update 14 Mar 2002:
Updated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing
the zlib fix; added missing kernel-headers package for 6.
Red Hat alert: Updated cups packages are available
Updated cups packages which fix a security problem are available.
Mandrake alert: rsync update
Ethan Benson discovered a bug in rsync where the supplementary groups that the rsync daemon runs as (such as root) would not be removed from the server process after changing to the specified unprivileged uid and gid. This seems only serious if rsync is called using "rsync --daemon" from the command line where it will inherit the group of the user starting the server (usually root). Note that, by default, Mandrake Linux uses xinetd to handle connections to the rsync daemon. This was fixed upstream in version 2.5.3, as well as the previously noted zlib fixes (see MDKSA-2002:023). The authors released 2.5.4 with some additional zlib fixes, and all users are encouraged to upgrade to this new version of rsync.
Mandrake alert: packages containing zlib update
Matthias Clasen found a security issue in zlib that, when provided with certain input, causes zlib to free an area of memory twice.
Red Hat alert: Updated secureweb packages available
Updated secureweb packages are now available for Red Hat Secure Web Server
3.2 (U.S.). These updates close a buffer overflow in mod_ssl.
Mandrake alert: packages containing zlib update
Matthias Clasen found a security issue in zlib that, when provided with certain input, causes zlib to free an area of memory twice.
Mandrake alert: zlib update
Matthias Clasen found a security issue in zlib that, when provided with certain input, causes zlib to free an area of memory twice. This "double free" bug can be used to crash any programs that take untrusted compressed input, such as web browsers, email clients, image viewing software, etc. This vulnerability can be used to perform Denial of Service attacks and, quite possibly, the execution of arbitrary code on the affected system. MandrakeSoft has published two advisories concerning this incident: MDKSA-2002:022 - zlib MDKSA-2002:023 - packages containing zlib The second advisory contains additional packages that bring their own copies of the zlib source, and as such need to be fixed and rebuilt. Updating the zlib library is sufficient to protect those programs that use the system zlib, but the packages as noted in MDKSA-2002:023 will need to be updated for those packages that do not use the system zlib.
Slackware alert: cvs recompiled against updated zlib + /tmp fix
New cvs packages are available to fix security problems.
Slackware alert: rsync update fixes security problems
New rsync packages are available to fix security problems.
Slackware alert: zlib upgrade fixes vulnerability
New zlib packages are available to fix a security problem which may impact
programs that link with zlib.
Debian alert: New zlib & other packages fix buffer overflow
The compression library zlib has a flaw in which it attempts to free
memory more than once under certain conditions. This can possibly be
exploited to run arbitrary code in a program that includes zlib. If a
network application running as root is linked to zlib, this could
potentially lead to a remote root compromise. No exploits are known at
this time. This vulnerability is assigned the CVE candidate name of
CAN-2002-0059.
SuSE alert: packages containing libz/zlib
This is the second announcement in the tandem-announcement about libz/zlib. SuSE Security Announcement SuSE-SA:2002:010 (libz/zlib) has been released prior to this announcement (SuSE-SA:2002:011). Please see SuSE-SA:2002:010 for details on the libz weakness. The two announcements SuSE-SA:2002:010 and SuSE-SA:2002:011 are being published in quick succession.
SuSE alert: libz/zlib
The zlib compression library is being used by many applications to provide data compression/decompression routines. An error in a decompression routine can corrupt the internal data structures of malloc by a double call to the free() function. If the data processed by the compression library is provided from an untrusted source, it may be possible for an attacker to interfere with the process using the zlib routines. The attack scenario includes a denial of service attack and memory/data disclosure, but it may also be possible to insert arbitrary code into the running program and to execute this code. This update fixes the known problems in the libz/zlib as a permanent fix. There exists no temporary workaround that can efficiently remedy the problem.
« Previous ( 1 ... 7222 7223 7224 7225 7226 7227 7228 7229 7230 7231 7232 ... 7257 ) Next »