Showing all newswire headlines

Steve Kemp discovered a problem in xsok, a single player strategy game for X11, related to the Sokoban game, which leads a user to execute arbitrary commands under the GID of games.

We are glad to announce that the next Mozilla Links issue (due January 2004) will be available as a subscription in Dutch, joining current English and Polish editions. Expect Japanese and German coming very soon. So now you can subscribe to Mozilla Links and have it delivered every two weeks in your prefered language.

Koki from the japanese site jpbe recently interviewed Michael Phipps the project leader of OpenBeOS. The original interview in japanese can be found here. Read more for the english version of the interview.

The latest project aimed at simplifying the complexity of the Linux world has met an early roadblock - the fractious relationship between the two biggest user interface systems

A vulnerability was discovered in the XDM display manager that ships with XFree86. XDM does not check for successful completion of the pam_setcred() call and in the case of error conditions in the installed PAM modules, XDM may grant local root access to any user with valid login credentials. It has been reported that a certain configuration of the MIT pam_krb5 module can result in a failing pam_setcred() call which leaves the session alive and would provide root access to any regular user. It is also possible that this vulnerability can likewise be exploited with other PAM modules in a similar manner.

Robert Love, well known figure for his kernel hacking, preemptive patch and his recent book (review), joined Ximian recently in an effort to improve the Linux desktop experience via kernel development. Today we feature a mini-Q&A with Robert about this new project.

Today we are very happy to feature an interview with Red Hat engineer Owen Taylor. Owen is the project leader of the GTK+ multi-platform toolkit, also known for his contributions on Pango. It is also important to note that a few days ago he received the highest number of votes for the Gnome Board of Directors elections. In the following Q&A we discuss about the features on GTK+ 2.6 and beyond, RAD tools, performance, GL and other widgets, GTK# and lots more!

A vulnerability in versions of irssi prior to 0.8.9 would allow a remote user to crash another user's irssi client provided that the client was on a non-x86 architecture or if the "gui print text" signal is being used by some script or plugin.

A buffer overflow vulnerability was discovered by Ulf Harnhammar in the lftp FTP client when connecting to a web server using HTTP or HTTPS and using the "ls" or "rels" command on specially prepared directory. This vulnerability exists in lftp versions 2.3.0 through 2.6.9 and is corrected upstream in 2.6.10.

The the flexible and powerful FTP command-line client lftp is vulnerable to two remote buffer overflows. When using lftp via HTTP or HTTPS to execute commands like 'ls' or 'rels' specially prepared directories on the server can trigger a buffer overflow in the HTTP handling functions of lftp to possibly execute arbitrary code on the client-side. Please note, to exploit these bugs an attacker has to control the server- side of the context and the attacker will only gain access to the account of the user that is executing lftp.

A vulnerability in Net-SNMP versions prior to 5.0.9 could allow an existing user/community to gain access to data in MIB objects that were explicitly excluded from their view.

CVS is a client/server version control system. As a server, it is used to host source code repositories. As a client, it is used to access such repositories. This advisory deals with the use of CVS as a server.

A number of vulnerabilities were discovered in ethereal that, if exploited, could be used to make ethereal crash or run arbitrary code by injecting malicious malformed packets onto the wire or by convincing someone to read a malformed packet trace file.

Updated gnupg packages are now available for Red Hat Linux. These updates disable the ability to generate ElGamal keys (used for both signing and encrypting) and disable the ability to use ElGamal public keys for encrypting data.

A vulnerability was discovered in the CVS server < 1.11.10 where a malformed module request could cause the CVS server to attempt to create directories and possibly files at the root of the filesystem holding the CVS repository.

As you may know, currently in-development Mozilla Firebird and Mozilla Thunderbird, are expected to become the main browser and e-mail applications at some time during the first half of 2004. So you may want to know that Mozilla Thunderbird 0.4 was just released. It features bug (errors) fixes and welcome improvements like address book Palm synchronization.

A vulnerability was discovered and fixed in screen by Timo Sirainen who found an exploitable buffer overflow that allowed privilege escalation. This vulnerability also has the potential to allow attackers to gain control of another user's screen session. The ability to exploit is not trivial and requires approximately 2GB of data to be transferred in order to do so.

A vulnerability was discovered in the CVS server < 1.11.10 where a malformed module request could cause the CVS server to attempt to create directories and possibly files at the root of the filesystem holding the CVS repository.

A vulnerability was discovered in all versions of rsync prior to 2.5.7 that was recently used in conjunction with the Linux kernel do_brk() vulnerability to compromise a public rsync server.

Updated rsync packages are now available that fix a heap overflow in the Rsync server.