Showing all newswire headlines

The authors of tinyproxy, a lightweight HTTP proxy, discovered a bug in the handling of some invalid proxy requests. Under some circumstances, an invalid request may result in a allocated memory being freed twice. This can potentially result in the execution of arbitrary code.

Updated secureweb packages are now available for Red Hat Secure Web Server 3.

A problem with wwwoffle has been discovered. The web proxy didn't handle input data with negative Content-Length settings properly which causes the processing child to crash. It is at this time not obvious how this can lead to an exploitable vulnerability; however, it's better to be safe than sorry, so here's an update.

Updated OpenSSL packages are available for Red Hat Linux 6.2, 7, 7.1, 7.2, and 7.3. These updates fix multiple protocol parsing bugs which may be used in a denial of service (DoS) attack or cause SSL-enabled applications to crash.

Updated gaim packages are now available for Red Hat Linux 7.1, 7.2, and 7.3. These updates fix a buffer overflow in the Jabber plug-in module.

Updated gaim packages are now available for Red Hat Powertools 7. These updates fix a buffer overflow in the Jabber plug-in module.

An integer overflow bug has been discovered in the RPC library used by the Kerberos 5 administration system, which is derived from the SunRPC library. This bug could be exploited to gain unauthorized root access to a KDC host. It is believed that the attacker needs to be able to authenticate to the kadmin daemon for this attack to be successful. No exploits are known to exist yet.

An integer overflow bug has been discovered in the RPC library used by the OpenAFS database server, which is derived from the SunRPC library. This bug could be exploited to crash certain OpenAFS servers (volserver, vlserver, ptserver, buserver) or to obtain unauthorized root access to a host running one of these processes. No exploits are known to exist yet.

In addition to the advisory DSA 140-1 the packages below fix another potential buffer overflow. The PNG libraries implement a safety margin which is also included in a newer upstream release. Thanks to Glenn Randers-Pehrson for informing us.

Eckehard Berns discovered a buffer overflow in the munpack program which is used for decoding (respectively) binary files in MIME (Multipurpose Internet Mail Extensions) format mail messages. If munpack is run on an appropriately malformed email (or news article) then it will crash, and perhaps can be made to run arbitrary code.

Developers of the PNG library have fixed a buffer overflow in the progressive reader when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. Such deliberately malformed datastreams would crash applications which could potentially allow an attacker to execute malicious code. Programs such as Galeon, Konquerer and various others make use of these libraries.

GOBBLES found an insecure use of format strings in the super package. The included program super is intended to provide access to certain system users for particular users and programs, similar to the program super. Exploiting this format string vulnerability a local user can gain unauthorized root accesss.

The openssh source tarball openssh-3.4p1.tar.gz from the openbsd ftp server http://ftp.openbsd.org has been trojaned with code that opens network connections to a server in the internet (203.62.158.32:6667) at compile time. The backdoor does not have any influence on the runtime behaviour of the package to our current knowlege. As of now, the package on the openbsd ftp server has not been removed/cleaned.

The WWWOFFLE, World Wide Web Offline Explorer, program suite acts as a HTTP, FTP and Finger proxy to allow users with dial-up access to the internet to do offline WWW browsing.

A problem was found in gallery (a web-based photo album toolkit): it was possible to pass in the GALLERY_BASEDIR variable remotely. This made it possible to execute commands under the uid of web-server.

Several security updates are now available for Slackware 8.1, including updated packages for Apache, glibc, mod_ssl, openssh, openssl, and php.

This security announcement covers two different errors in packages used by and used with the apache package. The first bug is an off-by-one overflow in the code responsible for handling configuration directives in mod_ssl, the apache module that enables apache to serve SSL encrypted http protocol. This vulnerability allows a local attacker to use a specially prepared .htaccess file for a denial of service attack against a webserver child, resulting in an increased resource usage overhead on busy webservers, or possibly to execute arbitrary commands as the webserver user (wwwrun in the SuSE case). This bug has been discovered by Frank Denis. The second bug was found by Markus Meissner (while working for Caldera in 2001, now SuSE) and Sebastian Krahmer, SuSE Security, independently. It is a temporary file handling problem in libmm (package name is "mm"), a library for communication between forked processes using IPC semaphores, IPC shared memory and/or shared mmap()'ed files. The vulnerability allows a local attacker to gain root privileges once she has succeeded to gain the (local) privileges of the user wwwrun on the system running the apache webserver.

Updated mm packages are now available for Red Hat Linux 7, 7.1, 7.2, and 7.3. These updates address possible vulnerabilities in how the MM library opens temporary files.

Marcus Meissner and Sebastian Krahmer discovered and fixed a temporary file vulnerability in the mm shared memory library. This problem can be exploited to gain root access to a machine running Apache which is linked against this library, if shell access to the user ``www-data'' is already available (which could easily be triggered through PHP).

The openssl package provides encryption functions and is used by many applications on SuSE products.