LXer Weekly Security Roundup - Mar 01, 2004 to Mar 08, 2004

Posted by dave on Mar 8, 2004 3:15 AM EDT
Dave Whitinger
Mail this story
Print this story

There were 16 security alerts issued last week:
  • 5 from Debian
  • 1 from Fedora
  • 2 from Fedora Legacy
  • 2 from Gentoo
  • 2 from Mandrake
  • 1 from OpenPKG
  • 1 from Red Hat
  • 2 from Trustix

Debian: New libapache-mod-python packages fix denial of service
Mar 1, 2004 12:25 PM
The Apache Software Foundation announced that some versions of mod_python contain a bug which, when processing a request with a malformed query string, could cause the corresponding Apache child to crash. This bug could be exploited by a remote attacker to cause a denial of service.



Debian: New libxml packages fix arbitrary code execution
Mar 4, 2004 12:47 PM
Yuuichi Teranishi discovered a flaw in libxml, the GNOME XML library. When fetching a remote resource via FTP or HTTP, the library uses special parsing routines which can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml1 or libxml2 that parses remote resources and allows the attacker to craft the URL, then this flaw could be used to execute arbitrary code.



Debian: New Linux 2.2.19 packages fix local root exploit (arm)
Mar 6, 2004 7:11 PM
Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit.



Debian: New Linux 2.2.20 packages fix local root exploit (i386+m68k+powerpc)
Mar 2, 2004 12:20 PM
Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit.



Debian: New Linux 2.2.22 packages fix local root exploit (alpha)
Mar 2, 2004 4:13 PM
Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit.



Fedora: mailman 2.1.4 available
Mar 5, 2004 4:34 PM
A cross-site scripting bug in the 'create' CGI script affects versions of Mailman 2.1 before 2.1.3. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0992 to this issue.



Fedora Legacy: Updated kernel resolves security vulnerabilities
Mar 3, 2004 5:53 PM
Updated kernel packages that fix security vulnerabilities which may allow local users to gain root privileges are now available. These packages also resolve other minor issues.



Fedora Legacy: Updated util-linux resolves security vulnerability
Mar 5, 2004 1:13 PM
Updated util-linux packages that fix an information leak in the login program are now available.



Gentoo: Libxml2 URI Parsing Buffer Overflow Vulnerabilities
Mar 7, 2004 1:17 AM
A buffer overflow has been discovered in libxml2 versions prior to 2.6.6 which may be exploited by an attacker allowing the execution of arbitrary code.



Gentoo: Linux kernel do_mremap local privilege escalation vulnerability
Mar 7, 2004 1:17 AM
A critical security vulnerability has been found in recent Linux kernels by Paul Starzetz of iSEC Security Research which allows for local privilege escalations.



Mandrake: Updated libxml2 packages fix vulnerability
Mar 4, 2004 12:27 PM
A flaw in libxml2 versions prior to 2.6.6 was found by Yuuichi Teranishi. When fetching a remote source via FTP or HTTP, libxml2 uses special parsing routines that can overflow a buffer if passed a very long URL. In the event that the attacker can find a program that uses libxml2 which parses remote resources and allows them to influence the URL, this flaw could be used to execute arbitrary code. The updated packages provide a backported fix to correct the problem.



Mandrake: Updated pwlib packages fix vulnerability
Mar 4, 2004 12:27 PM
The NISCC uncovered bugs in pwlib prior to version 1.6.0 via a test suite for the H.225 protocol. An attacker could trigger these bugs by sending carefully crafted messages to an application that uses pwlib, and the severity would vary based on the application, but likely would result in a Denial of Service (DoS).



OpenPKG: OpenPKG Security Advisory (libxml)
Mar 5, 2004 5:39 PM
A flaw in the HTTP and FTP client sub-library of libxml2 [0] found by Yuuichi Teranishi can be exploited to cause a buffer overflow if passed a very long URL [1]. This could be used by an attacker to execute arbitrary code on the host computer. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0110 [2] to the problem.



Red Hat: Updated libxml2 packages fix security vulnerability
Mar 3, 2004 2:20 PM
[Updated 3 March 2004] Revised libxml2 packages are now available as the original packages did not contain a complete patch.



Trustix: libxml2
Mar 6, 2004 7:17 PM
URLs longer than 4096 bytes would cause an overflow while using nanohttp in libxml2.



Trustix: nfs-utils
Mar 6, 2004 4:50 PM
Certain incorrect DNS setups would cause rpc.mountd to crash, resulting in a remote DoS of the DNS client at mount time.



  Nav
» Read more about: Groups: Kernel, Debian, LXer, Fedora, Gentoo, OpenPKG, Red Hat, Trustix, PHP, Fedora Legacy, GNOME; Story Type: News Story

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.