Showing headlines posted by dave

« Previous ( 1 ... 551 552 553 554 555 556 557 558 559 560 561 ... 595 ) Next »

Red Hat alert: Updated analog packages are available

  • Mailing list (Posted by dave on Oct 10, 2002 6:47 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated packages for analog are available which fix a cross-site scripting problem and a denial of service problem.

Mandrake alert: kdelibs update

A vulnerability was discovered in Konqueror's cross site scripting protection, in that it fails to initialize the domains on sub-(i)frames correctly. Because of this, javascript may access any foreign subframe which is defined in the HTML source, which can be used to steal cookies from the client and allow other cross-site scripting attacks. This also affects other KDE software that uses the KHTML rendering engine. This is fixed in KDE 3.0.3a, and the KDE team provided a patch for KDE 2.2.2. This patch has been applied to the following packages. After upgrading kdelibs, you must restart KDE in order for the fix to work.

Debian alert: New bugzilla packages fix privilege escalation

  • Mailing list (Posted by dave on Oct 9, 2002 6:35 AM EDT)
  • Story Type: Security; Groups: Debian
The developers of Bugzilla, a web-based bug tracking system, discovered a problem in the handling of more than 47 groups. When a new product is added to an installation with 47 groups or more and "usebuggroups" is enabled, the new group will be assigned a groupset bit using Perl math that is not exact beyond 2^48. This results in the new group being defined with a "bit" that has several bits set. As users are given access to the new group, those users will also gain access to spurious lower group privileges. Also, group bits were not always reused when groups were deleted.

Debian alert: New fetchmail packages fix buffer overflows

  • Mailing list (Posted by dave on Oct 8, 2002 11:58 AM EDT)
  • Story Type: Security; Groups: Debian
Package : fetchmail, fetchmail-ssl Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no

Debian alert: New ht://Check packages fix cross site scripting problem

  • Mailing list (Posted by dave on Oct 8, 2002 11:58 AM EDT)
  • Story Type: Security; Groups: Debian
Package : htcheck Vulnerability : cross site scripting Problem-Type : remote Debian-specific: no

Debian alert: New tkmail packages fix insecure temporary file creation

  • Mailing list (Posted by dave on Oct 8, 2002 5:58 AM EDT)
  • Story Type: Security; Groups: Debian
It has been discovered that tkmail creates temporary files insecurely. Exploiting this an attacker with local access can easily create and overwrite files as another user.

Red Hat alert: Updated fetchmail packages fix vulnerabilities

  • Mailing list (Posted by dave on Oct 7, 2002 12:50 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated fetchmail packages are available for Red Hat Linux 6.2, 7, 7.1, 7.2, 7.3, and 8.0 which close a remotely-exploitable vulnerability in unpatched versions of fetchmail prior to 6.1.0.

SuSE alert: mod_php4

  • Mailing list (Posted by dave on Oct 7, 2002 1:28 AM EDT)
  • Story Type: Security; Groups: SUSE
PHP is a well known and widely used web programming language. If a PHP script runs in "safe mode" several restrictions are applied to it including limits on execution of external programs.

SuSE alert: hylafax

  • Mailing list (Posted by dave on Oct 7, 2002 1:15 AM EDT)
  • Story Type: Security; Groups: SUSE
HylaFAX is a client-server architecture for receiving and sending facsimiles.

Debian alert: New tomcat packages fix unintended source code disclosure

  • Mailing list (Posted by dave on Oct 4, 2002 5:08 AM EDT)
  • Story Type: Security; Groups: Debian
A security vulnerability has been found in all Tomcat 4.x releases. This problem allows an attacker to use a specially crafted URL to return the unprocessed source code of a JSP page, or, under special circumstances, a static resource which would otherwise have been protected by security constraints, without the need for being properly authenticated.

Red Hat alert: Updated packages fix PostScript and PDF security issue

  • Mailing list (Posted by dave on Oct 3, 2002 11:25 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated packages for ggv fix a local buffer overflow when reading malformed PDF or PostScript files.

Red Hat alert: Updated tcpdump packages fix buffer overflow

  • Mailing list (Posted by dave on Oct 3, 2002 11:22 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated tcpdump, libpcap, and arpwatch packages are available for Red Hat Linux 6.2 and 7.x. These updates close a buffer overflow when handling NFS packets. [Update 3 October 2002] Replacement packages have been added for Red Hat Linux 6.2 as the previous packages could not be installed with the version of RPM that shipped with Red Hat Linux 6.

Red Hat alert: Updated nss_ldap packages fix buffer overflow

  • Mailing list (Posted by dave on Oct 3, 2002 11:19 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated nss_ldap packages are now available for Red Hat Linux 6.2, 7, 7.1, 7.2, and 7.3. These updates fix a potential buffer overflow which can occur when nss_ldap is set to configure itself using information stored in DNS, a format string bug in logging functions used in pam_ldap, and to properly handle truncated DNS responses.

Red Hat alert: Updated glibc packages fix vulnerabilities in resolver

  • Mailing list (Posted by dave on Oct 3, 2002 10:23 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated glibc packages are available to fix a buffer overflow in the resolver.

Mandrake alert: fetchmail update

Several buffer overflows and a boundary check error were discovered in all fetchmail versions prior to 6.1.0 by e-matters GmbH. These problems are vulnerable to crashes and/or arbitrary code execution by remote attackers if fetchmail is running in multidrop mode. The code execution would be done with the same privilege as the user running fetchmail.

Mandrake alert: postgresql update

Vulnerabilities were discovered in the Postgresql relational database by Mordred Labs. These vulnerabilities are buffer overflows in the rpad(), lpad(), repeat(), and cash_words() functions. The Postgresql developers also fixed a buffer overflow in functions that deal with time/date and timezone. Finally, more buffer overflows were discovered by Mordred Labs in the 7.2.2 release that are currently only fixed in CVS.

SuSE alert: heimdal

  • Mailing list (Posted by dave on Sep 30, 2002 7:33 AM EDT)
  • Story Type: Security; Groups: SUSE
The Heimdal package is a free Kerberos implementation offering flexible authentication mechanisms based on the Kerberos 5 and Kerberos 4 scheme. The SuSE Security Team has reviewed critical parts of the Heimdal package such as the kadmind and kdc server. While doing so several possible buffer overflows and other bugs have been uncovered and fixed. Remote attackers can probably gain remote root access on unpatched systems. Since these services run usually on authentication servers we consider these bugs to be very serious. An update is strongly recommended if you are using the Heimdal package.

Red Hat releases Red Hat Linux 8.0

RALEIGH, NC-September 30, 2002-Red Hat, Inc. (Nasdaq:RHAT) today released Red Hat Linux 8.0, a highly versatile operating system designed for personal and small business computing. Red Hat Linux 8.0 combines leading-edge Linux technologies with a new graphical look and feel that offers users a polished, easy-to-use operating environment.

Red Hat alert: Updated unzip and tar packages fix vulnerabilities

  • Mailing list (Posted by dave on Sep 29, 2002 12:55 AM EDT)
  • Story Type: Security; Groups: Red Hat
The unzip and tar utilities contain vulnerabilities which can allow arbitrary files to be overwritten during archive extraction.

Debian alert: New glibc packages fix

  • Mailing list (Posted by dave on Sep 26, 2002 9:01 AM EDT)
  • Story Type: Security; Groups: Debian
Wolfram Gloger discovered that the bugfix from DSA 149-1 unintentially replaced potential integer overflows in connection with malloc() with more likely divisions by zero. This called for an update. For completeness the original security advisory said:

« Previous ( 1 ... 551 552 553 554 555 556 557 558 559 560 561 ... 595 ) Next »