Showing headlines posted by dave

« Previous ( 1 ... 579 580 581 582 583 584 585 586 587 588 589 ... 595 ) Next »

Red Hat alert: Updated joe packages are available for Red Hat Linux 5.2, 6.x and 7.

  • Mailing list (Posted by dave on Mar 2, 2001 1:05 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated joe packages are available for Red Hat Linux 5.2, 6.x and 7.

Debian alert: New version of sudo released

  • Mailing list (Posted by dave on Feb 28, 2001 3:32 AM EDT)
  • Story Type: Security; Groups: Debian
Todd Miller announced a new version of sudo which corrects a buffer overflow that could potentially be used to gain root privilages on the local system. The fix from sudo 1.6.3p6 is available in sudo 1.6.2p2-1potato1 for Debian 2.2 (potato).

Red Hat alert: New Zope packages are available

  • Mailing list (Posted by dave on Feb 26, 2001 11:42 AM EDT)
  • Story Type: Security; Groups: Red Hat
New Zope packages are available which fix numerous security vulnerabilities.

Slackware alert: buffer overflow in sudo fixed

Sudo 1.6.3p6 is now available for Slackware 7.1 and Slackware -current. This release fixes a known buffer overflow, which could be used by malicious users to compromise parts of the system. If you rely on Sudo and use one of the above versions of Slackware, it is recommended that you upgrade to the new sudo.tgz package for the version you're running.

Red Hat alert: Updated analog packages are available

  • Mailing list (Posted by dave on Feb 23, 2001 10:44 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated analog packages are available which fix a buffer overflow vulnerability.

Red Hat alert: New vixie-cron packages available

  • Mailing list (Posted by dave on Feb 19, 2001 11:01 AM EDT)
  • Story Type: Security; Groups: Red Hat
New vixie-cron packages are available that fix a buffer overflow in the 'crontab' command; this could allow certain users to gain elevated privileges. It is recommended that all users update to the fixed packages. Users of Red Hat Linux 6.0 or 6.1 should use the packages for Red Hat Linux 6.

SuSE alert: ssh

  • Mailing list (Posted by dave on Feb 16, 2001 8:43 AM EDT)
  • Story Type: Security; Groups: SUSE
SuSE distributions contain the ssh package in the version 1.2.27. No later version is provided because of licensing issues. SuSE maintains the 1.2.27 version in a patched package. Three new patches have been added that workaround three independent security problems in the ssh package: a) SSHD-1 Logging Vulnerability (discovered and published by Jose Nazario, Crimelabs). Attackers can remotely brute-force passwords without getting noticed or logged. In the ssh package from the SuSE distribution, root login is allowed, as well as password authentication. Even though brute-forcing a password may take an enormous amount of time and resources, the issue is to be taken seriously. b) SSH1 session key recovery vulnerability (by (Ariel Waissbein, Agustin Azubel) - CORE SDI, Argentina, and David Bleichenbacher). Captured encrypted ssh traffic can be decrypted with some effort by obtaining the session key for the ssh session. The added patch in our package causes the ssh daemon to generate a new server key pair upon failure of an RSA operation (please note that the patch supplied with Iván Arce on bugtraq on Wed, 7 Feb 2001 has been corrected later on!). c) In 1998, the ssh-1 protocol was found to be vulnerable to an attack where arbitrary sequences could be inserted into the ssh-1 protocol layer. The attack was called "crc32 compensation attack", and a fix was introduced (crc compensation attack detector in the ssh -v output) into the later versions of ssh. Michal Zalewski discovered that the fix in its most widely used implementation is defective. An integer overflow allows an attacker to overwrite arbitrary memory in the sshd process' address space, which potentionally results in a remote root compromise. There are easy resorts that can be offered: a) switch to openssh (please use the openssh packages on http://ftp.suse.com from the same update directories as the ssh package update URLs below indicate). openssh is a different implementation of the ssh protocol that is compatible to the protocol versions 1 and 2. Openssh Version 2.3.0 does not suffer from the problems listed above. Versions before 2.3.0 are vulnerable to other problems, so please use the updates from the update directory on the http://ftp.suse.de ftp server. See section 2) of this announcement for the md5sums of the packages. b) upgrade your ssh package from the locations described below.

SuSE alert: ssh

  • Mailing list (Posted by dave on Feb 16, 2001 8:02 AM EDT)
  • Story Type: Security; Groups: SUSE
SuSE distributions contain the ssh package in the version 1.2.27. No later version is provided because of licensing issues. SuSE maintains the 1.2.27 version in a patched package. Three new patches have been added that workaround three independent security problems in the ssh package: a) SSHD-1 Logging Vulnerability (discovered and published by Jose Nazario, Crimelabs). Attackers can remotely brute-force passwords without getting noticed or logged. In the ssh package from the SuSE distribution, root login is allowed, as well as password authentication. Even though brute-forcing a password may take an enormous amount of time and resources, the issue is to be taken seriously. b) SSH1 session key recovery vulnerability (by (Ariel Waissbein, Agustin Azubel) - CORE SDI, Argentina, and David Bleichenbacher). Captured encrypted ssh traffic can be decrypted with some effort by obtaining the session key for the ssh session. The added patch in our package causes the ssh daemon to generate a new server key pair upon failure of an RSA operation (please note that the patch supplied with Iván Arce on bugtraq on Wed, 7 Feb 2001 has been corrected later on!). c) In 1998, the ssh-1 protocol was found to be vulnerable to an attack where arbitrary sequences could be inserted into the ssh-1 protocol layer. The attack was called "crc32 compensation attack", and a fix was introduced (crc compensation attack detector in the ssh -v output) into the later versions of ssh. Michal Zalewski discovered that the fix in its most widely used implementation is defective. An integer overflow allows an attacker to overwrite arbitrary memory in the sshd process' address space, which potentionally results in a remote root compromise. There are easy resorts that can be offered: a) switch to openssh (please use the openssh packages on http://ftp.suse.com from the same update directories as the ssh package update URLs below indicate). openssh is a different implementation of the ssh protocol that is compatible to the protocol versions 1 and 2. Openssh Version 2.3.0 does not suffer from the problems listed above. Versions before 2.3.0 are vulnerable to other problems, so please use the updates from the update directory on the http://ftp.suse.de ftp server. See section 2) of this announcement for the md5sums of the packages. b) upgrade your ssh package from the locations described below.

Debian alert: New m68k packages of XFree86 released

  • Mailing list (Posted by dave on Feb 14, 2001 1:46 AM EDT)
  • Story Type: Security; Groups: Debian
Several people have noted a number of problems in several components of the X Window System sample implementation (from which XFree86 is derived). Please read DSA 030-1 for a detailed description.

Debian alert: Multiple security problems in X

  • Mailing list (Posted by dave on Feb 12, 2001 8:12 AM EDT)
  • Story Type: Security; Groups: Debian
Chris Evans, Joseph S. Myers, Michal Zalewski, Alan Cox, and others have noted a number of problems in several components of the X Window System sample implementation (from which XFree86 is derived). While there are no known reports of real-world malicious exploits of any of these problems, it is nevertheless suggested that you upgrade your XFree86 packages immediately.

Debian alert: New version of proftpd released

  • Mailing list (Posted by dave on Feb 11, 2001 6:53 PM EDT)
  • Story Type: Security; Groups: Debian
The following problems have been reported for the version of proftpd in Debian 2.2 (potato):

Debian alert: New man-db packages released

  • Mailing list (Posted by dave on Feb 8, 2001 2:38 PM EDT)
  • Story Type: Security; Groups: Debian
Styx has reported that the program `man' mistakenly passes malicious strings (i.e. containing format characters) through routines that were not meant to use them as format strings. Since this could cause a segmentation fault and privileges were not dropped it may lead to an exploit for the 'man' user.

Debian alert: New OpenSSH packages released

  • Mailing list (Posted by dave on Feb 8, 2001 2:08 PM EDT)
  • Story Type: Security; Groups: Debian
This upload fixes:

Red Hat alert: Three security holes fixed in new kernel

  • Mailing list (Posted by dave on Feb 8, 2001 2:03 PM EDT)
  • Story Type: Security; Groups: Red Hat
Three security holes fixed in new kernel, and several other updates and bug fixes have been applied as well.

Red Hat alert: Updated XEmacs packages available for Red Hat Powertools 6.2

  • Mailing list (Posted by dave on Feb 6, 2001 11:22 AM EDT)
  • Story Type: Security; Groups: Red Hat
The XEmacs package as shipped with Red Hat PowerTools 6.2 has a security problem with gnuserv and gnuclient, due to a buffer overflow and weak security.

Red Hat alert: Updated XEmacs packages available for Red Hat Linux 7

  • Mailing list (Posted by dave on Feb 6, 2001 11:21 AM EDT)
  • Story Type: Security; Groups: Red Hat
The XEmacs package as shipped with Red Hat Linux 7 has a security problem with gnuserv and gnuclient.

SuSE alert: bind8

  • Mailing list (Posted by dave on Jan 30, 2001 4:14 PM EDT)
  • Story Type: Security; Groups: SUSE
bind-8.x in all versions of the SuSE distributions contain a bug in the transaction signature handling code that can allow to remotely over- flow a buffer and thereby execute arbitrary code as the user running the nameserver (this is user named by default on SuSE systems). In addition to this bug, another problem allows for a remote attacker to collect information about the running bind process (this has been found by Claudio Musmarra <a9605121@unet.univie.ac.at>). For more information on these bugs, please visit the CERT webpage at http://www.cert.org/advisories/CA-2001-02.html and the bind bugs webpage at http://www.isc.org/products/BIND/bind-security.html .

Red Hat alert: Updated inetd packages available for Red Hat Linux 6.2

  • Mailing list (Posted by dave on Jan 30, 2001 6:53 AM EDT)
  • Story Type: Security; Groups: Red Hat
The inetd server as shipped with Red Hat Linux 6.2 fails to close sockets for internal services properly.

SuSE alert: kdesu

  • Mailing list (Posted by dave on Jan 30, 2001 12:46 AM EDT)
  • Story Type: Security; Groups: SUSE
kdesu is a KDE frontend for su(1). When invoked it prompts for the root password and runs su(1). kdesu itself does not run setuid/setgid.

Red Hat alert: Updated bind packages available

  • Mailing list (Posted by dave on Jan 29, 2001 12:21 PM EDT)
  • Story Type: Security; Groups: Red Hat
Several security problems have been found in the bind 8.

« Previous ( 1 ... 579 580 581 582 583 584 585 586 587 588 589 ... 595 ) Next »