Showing all newswire headlines
View by date, instead?« Previous ( 1 ... 7392 7393 7394 7395 7396 7397 7398 7399 7400 7401 7402 ... 7439 ) Next »
Debian alert: New BIND packages fix several vulnerabilities
[Bind version 9, the bind9 package, is not affected by these problems.]
Mandrake alert: bind update
Several vulnerabilities were discovered in the BIND8 DNS server by ISS (Internet Security Services), including a remotely exploitable buffer overflow. The first vulnerability is how named handles SIG records; this buffer overflow can be exploited to obtain access to the victim host with the privilege of the user the named process is running as. By default, Mandrake Linux is configured to run the named process as the named user. To successfully exploit this vulnerability, the attacker must control an existing DNS domain and must be allowed to perform a recursive query.
SuSE alert: Multiple vulnerabilities in BIND8
The security research company ISS (Internet Security Services) has discovered several vulnerabilities in the BIND8 name server, including a remotely exploitable buffer overflow.
Debian alert: New Apache-Perl packages fix several vulnerabilities
According to David Wagner, iDEFENSE and the Apache HTTP Server
Project, several vulnerabilities have been found in the Apache server
package, a commonly used webserver. Most of the code is shared
between the Apache and Apache-Perl packages, so vulnerabilities are
shared as well.
Red Hat alert: Remote vulnerabilities in BIND 4 and 8
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. Three remotely exploitable vulnerabilities were disclosed by ISC on 12 November 2002 that affect various versions of BIND 4 and 8.
Debian alert: New masqmail packages fix buffer overflows
A set of buffer overflows have been discovered in masqmail, a mail
transport agent for hosts without permanent internet connection. In
addition to this privileges were dropped only after reading a user
supplied configuration file. Together this could be exploited to gain
unauthorized root access to the machine on which masqmail is
installed.
SuSE alert: (traceroute-nanog/nkitb)
Traceroute is a tool that can be used to track packets in a TCP/IP network to determine it's route or to find out about not working routers. Traceroute-nanog requires root privilege to open a raw socket. It does not relinquish these privileges after doing so. This allows a malicious user to gain root access by exploiting a buffer overflow at a later point.
SuSE alert: KDE lanbrowser vulnerability
During a security review, the SuSE security team has found two vulnerabilities in the KDE lanbrowsing service.
Red Hat alert: New PHP packages fix vulnerability in mail function
PHP versions up to and including 4.
Debian alert: New klisa packages fix buffer overflow
iDEFENSE reports a security vulnerability in the klisa package, that
provides a LAN information service similar to "Network Neighbourhood",
which was discovered by Texonet. It is possible for a local attacker
to exploit a buffer overflow condition in resLISa, a restricted
version of KLISa. The vulnerability exists in the parsing of the
LOGNAME environment variable, an overly long value will overwrite the
instruction pointer thereby allowing an attacker to seize control of
the executable.
Debian alert: New squirrelmail packages fix problem in options page
The security update for Squirrelmail (DSA 191-1) unfortunately
introduced a bug in the options page. This problem is fixed in
version 1.2.6-1.2 the current stable distribution (woody). The
unstable distribution (sid) and the old stable distribution (potato)
were not affected by this. For completeness please find below the
original security advisory:
Debian alert: New html2ps packages fix arbitrary code execution
The SuSE Security Team found a vulnerability in html2ps, a HTML to
PostScript converter, that opened files based on unsanitized input
insecurely. This problem can be exploited when html2ps is installed
as filter within lrpng and the attacker has previously gained access
to the lp account.
Mandrake alert: perl-MailTools update
A vulnerability was discovered in Mail::Mailer perl module by the SuSE security team during an audit. The vulnerability allows remote attackers to execute arbitrary commands in certain circumstances due to the usage of mailx as the default mailer, a program that allows commands to be embedded in the mail body.
Mandrake alert: nss_ldap update
A buffer overflow vulnerability exists in nss_ldap versions prior to 198. When nss_ldap is configured without a value for the "host" keyword, it attempts to configure itself using SRV records stored in DNS. nss_ldap does not check that the data returned by the DNS query will fit into an internal buffer, thus exposing it to an overflow.
Debian alert: New squirrelmail packages fix cross site scripting bugs
Several cross site scripting vulnerabilities have been found in
squirrelmail, a feature-rich webmail package written in PHP4. The
Common Vulnerabilities and Exposures (CVE) project identified the
following vulnerabilities:
Red Hat alert: Updated kerberos packages available
A remotely exploitable stack buffer overflow has been found in the Kerberos
v4 compatibility administration daemon distributed with the Red Hat Linux
krb5 packages.
Debian alert: buffer overflow in Window Maker
Al Viro found a problem in the image handling code use in Window Maker,
a popular NEXTSTEP like window manager. When creating an image it would
allocate a buffer by multiplying the image width and height, but did not
check for an overflow. This makes it possible to overflow the buffer.
This could be exploited by using specially crafted image files (for
example when previewing themes).
Red Hat alert: Updated glibc packages fix vulnerabilities in resolver
Updated glibc packages are available to fix a buffer overflow in the
resolver.
Debian alert: New luxman packages fix local root exploit
iDEFENSE reported about a vulnerability in LuxMan, a maze game for
GNU/Linux, similar to the PacMan arcade game. When successfully
exploited it a local attacker with read write access to the Memory,
leading to a local root compromise in many ways, examples of which
include scanning the file for fragments of the master password file
and modifying kernel memory to re-map system calls.
Debian alert: New Apache-SSL packages fix several vulnerabilities
According to David Wagner, iDEFENSE and the Apache HTTP Server
Project, several vulnerabilities have been found in the Apache
package, a commonly used webserver. Most of the code is shared
between the Apache and Apache-SSL packages, so vulnerabilities are
shared as well. These vulnerabilities could allow an attacker to
enact a denial of service against a server or execute a cross
scripting attack, or steal cookies from other web site users.
Vulnerabilities in the included lecacy programs htdigest, htpasswd and
ApacheBench can be exploited when called via CGI. Additionally the
insecure temporary file creation in htdigest and htpasswd can also be
exploited locally. The Common Vulnerabilities and Exposures (CVE)
project identified the following vulnerabilities:
« Previous ( 1 ... 7392 7393 7394 7395 7396 7397 7398 7399 7400 7401 7402 ... 7439 ) Next »