Showing all newswire headlines

View by date, instead?

« Previous ( 1 ... 7377 7378 7379 7380 7381 7382 7383 7384 7385 7386 7387 ... 7440 ) Next »

Mandrake alert: Updated kde3 packages fix arbitrary command execution

A vulnerability was discovered by the KDE team in the way that KDE uses Ghostscript for processing PostScript and PDF files. A malicious attacker could provide a carefully constructed PDF or PostScript file to an end user (via web or mail) that could lead to the execution of arbitrary commands as the user viewing the file. The vulnerability can be triggered even by the browser generating a directory listing with thumbnails.

Debian alert: New sendmail-wide packages fix DoS and arbitrary code execution

  • Mailing list (Posted by dave on Apr 17, 2003 5:58 AM EDT)
  • Story Type: Security; Groups: Debian
Michal Zalewski discovered a buffer overflow, triggered by a char to int conversion, in the address parsing code in sendmail, a widely used powerful, efficient, and scalable mail transport agent. This problem is potentially remotely exploitable.

Debian alert: New rinetd packages fix denial of service

  • Mailing list (Posted by dave on Apr 17, 2003 5:13 AM EDT)
  • Story Type: Security; Groups: Debian
Sam Hocevar discovered a security problem in rinetd, an IP connection redirection server. When the connection list is full, rinetd resizes the list in order to store the new incoming connection. However, this is done improperly, resulting in a denial of service and potentially execution of arbitrary code.

Debian alert: New OpenSSL packages fix decipher vulnerability

  • Mailing list (Posted by dave on Apr 16, 2003 10:44 PM EDT)
  • Story Type: Security; Groups: Debian
Researchers discovered two flaws in OpenSSL, a Secure Socket Layer (SSL) library and related cryptographic tools. Applications that are linked against this library are generally vulnerable to attacks that could leak the server's private key or make the encrypted session decryptable otherwise. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities:

Mandrake alert: Updated eog packages fix arbitrary command execution

A vulnerability was discovered in the Eye of GNOME (EOG) program, version 2.2.0 and earlier, that is used for displaying graphics. A carefully crafted filename passed to eog could lead to the execution of arbitrary code as the user executing eog.

Mandrake alert: Updated xfsdump packages fix insecure file creation

A vulnerability was discovered in xfsdump by Ethan Benson related to filesystem quotas on the XFS filesystem. When xfsdump runs xfsdq to save the quota information into a file at the root of the filesystem being dumped, the file is created in an unsafe manner.

Mandrake alert: Updated gtkhtml packages fix vulnerability

A vulnerability in GtkHTML was discovered by Alan Cox with the Evolution email client. GtkHTML is used to handle HTML messages in Evolution and certain malformed messages could cause Evolution to crash due to this bug.

Mandrake alert: Updated evolution packages fix multiple vulnerabilities

Several vulnerabilities were discovered in the Evolution email client. These problems make it possible for a carefully constructed email message to crash the program, causing general system instability by starving resources.

Debian alert: New lpr packages fix local root exploit (potato)

  • Mailing list (Posted by dave on Apr 15, 2003 5:33 AM EDT)
  • Story Type: Security; Groups: Debian
The correction for CAN-2003-0144 for the old stable distribution (potato) was a little bit too strict apparently and this update corrects this. For completeness here is the advisory text:

Debian alert: New EPIC packages fix DoS and arbitrary code execution

  • Mailing list (Posted by dave on Apr 15, 2003 3:09 AM EDT)
  • Story Type: Security; Groups: Debian
Timo Sirainen discovered several problems in EPIC, a popular client for Internet Relay Chat (IRC). A malicious server could craft special reply strings, triggering the client to write beyond buffer boundaries. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user.

Debian alert: New EPIC packages fix DoS and arbitrary code execution

  • Mailing list (Posted by dave on Apr 15, 2003 2:00 AM EDT)
  • Story Type: Security; Groups: Debian
Timo Sirainen discovered several problems in EPIC, a popular client for Internet Relay Chat (IRC). A malicious server could craft special reply strings, triggering the client to write beyond buffer boundaries. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user.

Debian alert: New gs-common packages fix insecure temporary file creation

  • Mailing list (Posted by dave on Apr 14, 2003 6:35 AM EDT)
  • Story Type: Security; Groups: Debian
Paul Szabo discovered insecure creation of a temporary file in ps2epsi, a script that is distributed as part of gs-common which contains common files for different Ghostscript releases. ps2epsiuses a temporary file in the process of invoking ghostscript. This file was created in an insecure fashion, which could allow a local attacker to overwrite files owned by a user who invokes ps2epsi.

Debian alert: New lprng packages fix insecure temporary file creation

  • Mailing list (Posted by dave on Apr 14, 2003 5:19 AM EDT)
  • Story Type: Security; Groups: Debian
Karol Lewandowski discovered that psbanner, a printer filter that creates a PostScript format banner and is part of LPRng, insecurely creates a temporary file for debugging purpose when it is configured as filter. The program does not check whether this file already exists or is linked to another place writes its current environment and called arguments to the file unconditionally with the user id daemon.

Debian alert: New kdegraphics packages fix arbitrary command execution

  • Mailing list (Posted by dave on Apr 12, 2003 12:30 AM EDT)
  • Story Type: Security; Groups: Debian
The KDE team discoverd a vulnerability in the way KDE uses Ghostscript software for processing of PostScript (PS) and PDF files. An attacker could provide a malicious PostScript or PDF file via mail or websites that could lead to executing arbitrary commands under the privileges of the user viewing the file or when the browser generates a directory listing with thumbnails.

Debian alert: New xfsdump packages fix insecure file creation

  • Mailing list (Posted by dave on Apr 10, 2003 10:16 PM EDT)
  • Story Type: Security; Groups: Debian
Ethan Benson discovered a problem in xfsdump, that contains administrative utilities for the XFS filesystem. When filesystem quotas are enabled xfsdump runs xfsdq to save the quota information into a file at the root of the filesystem being dumped. The manner in which this file is created is unsafe.

Red Hat alert: Updated glibc packages fix vulnerabilities in RPC XDR decoder

  • Mailing list (Posted by dave on Apr 10, 2003 3:33 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated glibc packages are available to fix an integer overflow in the XDR decoder.

Mandrake alert: Updated 2.4 kernel packages fix ptrace vulnerability

A bug in the kernel module loader code could allow a local user to gain root privileges. This is done by a local user using ptrace and attaching to a modprobe process that is spawned if the user triggers the loading of a kernel module.

Red Hat alert: Updated httpd packages fix security vulnerabilities.

  • Mailing list (Posted by dave on Apr 9, 2003 8:31 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated httpd packages which fix a number of security issues are now available for Red Hat Linux 8.0 and 9.

Debian alert: New heimdal packages fix authentication failure

  • Mailing list (Posted by dave on Apr 9, 2003 7:56 AM EDT)
  • Story Type: Security; Groups: Debian
Due to overzealous applied patches, the security update DSA 269-1 introduced problems in some installations, causing the hprop service to fail. This is corrected with the update below.

Debian alert: New glibc packages fix arbitrary code execution

  • Mailing list (Posted by dave on Apr 9, 2003 3:20 AM EDT)
  • Story Type: Security; Groups: Debian
eEye Digital Security discovered an integer overflow in the xdrmem_getbytes() function which is also present in GNU libc. This function is part of the XDR (external data representation) encoder/decoder derived from Sun's RPC implementation. Depending upon the application, this vulnerability can cause buffer overflows and could possibly be exploited to execute arbitray code.

« Previous ( 1 ... 7377 7378 7379 7380 7381 7382 7383 7384 7385 7386 7387 ... 7440 ) Next »