LXer Weekly Security Roundup - Mar 15, 2004 to Mar 22, 2004

Posted by dave on Mar 22, 2004 4:03 AM EDT
Dave Whitinger
Mail this story
Print this story

There were 12 security alerts issued last week:
  • 3 from Debian
  • 1 from EnGarde
  • 1 from Gentoo
  • 1 from Mandrake
  • 1 from OpenPKG
  • 2 from Red Hat
  • 1 from SUSE
  • 2 from Trustix

Debian: New gdk-pixbuf packages fix denial of service
Mar 16, 2004 2:37 PM
Thomas Kristensen discovered a vulnerability in gdk-pixbuf (binary package libgdk-pixbuf2), the GdkPixBuf image library for Gtk, that can cause the surrounding application to crash. To exploit this problem, a remote attacker could send a carefully-crafted BMP file via mail, which would cause e.g. Evolution to crash but is probably not limited to Evolution.

Debian: New Linux 2.2.10 packages fix local root exploit (powerpc/apus)
Mar 18, 2004 12:43 PM
Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit.

Debian: New openssl packages fix multiple vulnerabilities
Mar 17, 2004 9:07 PM
Two vulnerabilities were discovered in openssl, an implementation of the SSL protocol, using the Codenomicon TLS Test Tool.

EnGarde: 'openssl' Denial of Service vulnerabilities.
Mar 17, 2004 3:02 PM
Using a commercial TLS protocol testing suite the OpenSSL Project discovered three vulnerabilities in the OpenSSL toolkit. EnGarde Secure Linux is vulnerable to two of these these three Denial of Service (DoS) vulnerabilities.

Gentoo: Multiple OpenSSL Vulnerabilities
Mar 18, 2004 12:39 PM
Three vulnerabilities have been found in OpenSSL via a commercial test suite for the TLS protocol developed by Codenomicon Ltd.

Mandrake: Updated openssl packages fix multiple vulnerabilities
Mar 17, 2004 5:58 PM
A vulnerability was discovered by the OpenSSL group using the Codenomicon TLS Test Tool.

OpenPKG: OpenPKG Security Advisory (openssl)
Mar 18, 2004 1:26 PM
According to an OpenSSL security advisory, a denial of service vulnerabilities exist in OpenSSL versions 0.9.6c to 0.9.6l inclusive and versions 0.9.7a to 0.9.7c inclusive.

Red Hat: Updated Mozilla packages fix security issues
Mar 18, 2004 12:44 PM
Updated Mozilla packages that fix vulnerabilities in S/MIME parsing as well as other issues and bugs are now available.

Red Hat: Updated OpenSSL packages fix vulnerabilities
Mar 17, 2004 10:35 PM
Updated OpenSSL packages that fix several remote denial of service vulnerabilities are now available.

SUSE: openssl
Mar 17, 2004 1:47 PM
The first bug occurs during SSL/TLS handshake in the function do_change_cipher_spec() due to a NULL pointer assignment. The second bug affects openssl version 0.9.7* only with Kerberos cipher-suite enabled and can be triggered during SSL/TLS handshake too.

Trustix: openssl
Mar 18, 2004 10:27 PM
Several holes were discovered that could lead to denial of service (DoS) attacks on SSL-enabled services.

Trustix: sysstat
Mar 18, 2004 10:27 PM
The isag script shipped with sysstat was creating temporary files in the /tmp directory in an insecure way. As TSL does not include the prerequisites for runnining the script, we have removed it from the distribution.

» Read more about: Story Type: Roundups

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.