There were 12 security alerts issued last week:
- 3 from Debian
- 1 from EnGarde
- 1 from Gentoo
- 1 from Mandrake
- 1 from OpenPKG
- 2 from Red Hat
- 1 from SUSE
- 2 from Trustix
Debian: New gdk-pixbuf packages fix denial of service
Mar 16, 2004 2:37 PM
Thomas Kristensen discovered a vulnerability in gdk-pixbuf (binary package libgdk-pixbuf2), the GdkPixBuf image library for Gtk, that can cause the surrounding application to crash. To exploit this problem, a remote attacker could send a carefully-crafted BMP file via mail, which would cause e.g. Evolution to crash but is probably not limited to Evolution.
Debian: New Linux 2.2.10 packages fix local root exploit (powerpc/apus)
Mar 18, 2004 12:43 PM
Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit.
Debian: New openssl packages fix multiple vulnerabilities
Mar 17, 2004 9:07 PM
Two vulnerabilities were discovered in openssl, an implementation of the SSL protocol, using the Codenomicon TLS Test Tool.
EnGarde: 'openssl' Denial of Service vulnerabilities.
Mar 17, 2004 3:02 PM
Using a commercial TLS protocol testing suite the OpenSSL Project discovered three vulnerabilities in the OpenSSL toolkit. EnGarde Secure Linux is vulnerable to two of these these three Denial of Service (DoS) vulnerabilities.
Gentoo: Multiple OpenSSL Vulnerabilities
Mar 18, 2004 12:39 PM
Three vulnerabilities have been found in OpenSSL via a commercial test suite for the TLS protocol developed by Codenomicon Ltd.
Mandrake: Updated openssl packages fix multiple vulnerabilities
Mar 17, 2004 5:58 PM
A vulnerability was discovered by the OpenSSL group using the Codenomicon TLS Test Tool.
OpenPKG: OpenPKG Security Advisory (openssl)
Mar 18, 2004 1:26 PM
According to an OpenSSL security advisory, a denial of service vulnerabilities exist in OpenSSL versions 0.9.6c to 0.9.6l inclusive and versions 0.9.7a to 0.9.7c inclusive.
Red Hat: Updated Mozilla packages fix security issues
Mar 18, 2004 12:44 PM
Updated Mozilla packages that fix vulnerabilities in S/MIME parsing as well as other issues and bugs are now available.
Red Hat: Updated OpenSSL packages fix vulnerabilities
Mar 17, 2004 10:35 PM
Updated OpenSSL packages that fix several remote denial of service vulnerabilities are now available.
Mar 17, 2004 1:47 PM
The first bug occurs during SSL/TLS handshake in the function do_change_cipher_spec() due to a NULL pointer assignment. The second bug affects openssl version 0.9.7* only with Kerberos cipher-suite enabled and can be triggered during SSL/TLS handshake too.
Mar 18, 2004 10:27 PM
Several holes were discovered that could lead to denial of service (DoS) attacks on SSL-enabled services.
Mar 18, 2004 10:27 PM
The isag script shipped with sysstat was creating temporary files in the /tmp directory in an insecure way. As TSL does not include the prerequisites for runnining the script, we have removed it from the distribution.