Two vulnerabilities were discovered in the Apache web server that affect all 2.x versions prior to 2.0.46. The first, discovered by John Hughes, is a build system problem that allows remote attackers to prevent access to authenticated content when a threaded server is used. This only affects versions of Apache compiled with threaded server "httpd.worker", which is not the default for Mandrake Linux.
New ghostscript packages fixing a command execution vulnerability are now available.
A Denial of Service (DoS) vulnerability was discovered in the CUPS printing system by Phil D'Amore of Red Hat. The IPP (Internet Printing Protocol) that CUPS uses is single-threaded and can only service one request at a time. A malicious user could create a partial request that does not time out and cause a Denial of Service condition where CUPS will not respond to other printing requests. This can only be done if the malicious user can create a TCP connection to the IPP port (631 by default).
Upgraded CUPS packages are available for Slackware 8.1, 9.0, and -current to fix a denial of service attack vulnerability.
gPS is a graphical application to watch system processes. In release 1.1.0 of the gps package, several security vulnerabilities were fixed, as detailed in the changelog:
Updated httpd packages that fix two security issues are now available for Red Hat Linux 8.0 and 9.
Another integer overflow was found in glibc' XDR code. This bug is equal to the one described in advisory SuSE-SA:2002:031. The overflow occurs in the function xdrmem_getbytes() and can be used by external attackers to execute arbitrary code.
Updated CUPS packages that fix a denial of service vulnerability are now available.
A bug was discovered in GnuPG versions 1.2.1 and earlier. When gpg evaluates trust values for different UIDs assigned to a key, it would incorrectly associate the trust value of the UID with the highest trust value with every other UID assigned to that key. This prevents a warning message from being given when attempting to encrypt to an invalid UID, but due to the bug, is accepted as valid.
NOTE: The original advisory quotes a section of the Slackware ChangeLog which had inadvertently reversed the options to quotacheck. The correct option to use is 'm'. A corrected advisory follows:
An upgraded sysvinit package is available which fixes a problem with the use of quotacheck in /etc/rc.d/rc.M. The original version of rc.M calls quotacheck like this:
An upgrade for mod_ssl to version 2.8.14_1.3.27 is now available. This version provides RSA blinding by default which prevents an extended timing analysis from revealing details of the secret key to an attacker. Note that this problem was already fixed within OpenSSL, so this is a "double fix". With this package, mod_ssl is secured even if OpenSSL is not.
A key validation bug which results in all user IDs on a given key being treated with the validity of the most-valid user ID on that key has been fixed with the release of GnuPG 1.2.2.
An integer overflow in the xdrmem_getbytes() function found in the glibc library has been fixed. This could allow a remote attacker to execute arbitrary code by exploiting RPC service that use xdrmem_getbytes(). None of the default RPC services provided by Slackware appear to use this function, but third-party applications may make use of it.
New BitchX packages are available to fix security problems found by Timo Sirainen. BitchX is an IRC (Internet Relay Chat) client. Under certain circumstances, a malicious IRC server could cause BitchX to crash, or possibly to run arbitrary code as the user running BitchX.
New EPIC4 packages are available to fix security problems found by Timo Sirainen. EPIC4 is an IRC (Internet Relay Chat) client. Under certain circumstances, a malicious IRC server could cause EPIC4 to crash, or possibly to run arbitrary code as the user running EPIC4.
Karol Lewandowski discovered a problem with psbanner, a printer filter that creates a PostScript format banner. psbanner creates a temporary file for debugging purposes when it is configured as a filter, and does not check whether or not this file already exists or is a symlink. The filter will overwrite this file, or the file it is pointing to (if it is a symlink) with its current environment and called arguments with the user id that LPRng is running as.
A buffer overflow was discovered in the lpr printer spooling system that can be exploited by a local user to gain root privileges. This can be done even if the printer is configured properly.
A vulnerability in cdrecord was discovered that can be used to obtain root access because Mandrake Linux ships with the cdrecord binary suid root and sgid cdwriter.
Updated gnupg packages correcting a bug in the GnuPG key validation functions are now available.