Showing all newswire headlines
View by date, instead?« Previous ( 1 ... 7396 7397 7398 7399 7400 7401 7402 7403 7404 7405 7406 ... 7439 ) Next »
SuSE alert: Slapper worm
This advisory is issued in an attempt to clarify any issues surrounding the recently discovered Apache/mod_ssl worm.
Debian alert: New PHP packages fix several vulnerabilities
Wojciech Purczynski found out that it is possible for scripts to pass
arbitrary text to sendmail as commandline extension when sending a
mail through PHP even when safe_mode is turned on. Passing 5th
argument should be disabled if PHP is configured in safe_mode, which
is the case for newer PHP versions and for the versions below. This
does not affect PHP3, though.
SuSE alert: xf86
The xf86 package contains various libraries and programs which are fundamental for the X server to function. The libX11.so library from this package dynamically loads other libraries where the pathname is controlled by the user invoking the program linked against libX11.so. Unfortunately, libX11.so also behaves the same way when linked against setuid programs. This behavior allows local users to execute arbitrary code under a different UID which can be the root-UID in the worst case. libX11.so has been fixed to check for calls from setuid programs. It denies loading of user controlled libraries in this case. We recommend an update in any case since there is no easy workaround possible except removing the setuid bit from any program linked against libX11.so.
Debian alert: Multiple OpenSSL problems (update)
There was an error in the original openssl094 packages, resulting in an
incomplete fix. This error has been corrected in 0.9.4-6.potato.2 and
0.9.4-6.woody.2. We recommend that you upgrade your openssl094 packages
immediately. i386 packages are available at this time, and packages will
be available shortly for other architectures. Note that the openssl
0.9.5a and 0.9.6 updates were not affected by this error.
Debian alert: New kdelibs fix cross site scripting bug
A cross site scripting problem has been discovered in Konquerer, a
famous browser for KDE and other programs using KHTML. The KDE team
reports that Konqueror's cross site scripting protection fails to
initialize the domains on sub-(i)frames correctly. As a result,
Javascript is able to access any foreign subframe which is defined in
the HTML source. Users of Konqueror and other KDE software that uses
the KHTML rendering engine may become victim of a cookie stealing and
other cross site scripting attacks.
Debian alert: Multiple OpenSSL problems (update)
Note: this advisory is an update to DSA-136-1, issued 30 Jul 2002. It
includes ASN1 updates in the woody packages, plus the potato packages
which were not initially available.
Red Hat alert: Updated ethereal packages available
Updated ethereal packages are available for Red Hat Powertools 6.2, 7, and
7.1. These packages are required for the Red Hat Security Advisory
regarding applications linked against the old ucd-snmp libraries and also
fix other security issues in ethereal.
Debian alert: New purity packages fix potential buffer overflows
Two buffer overflows have been discovered in purity, a game for nerds
and hackers, which is installed setgid games on a Debian system. This
problem could be exploited to gain unauthorized access to the group
games. A malicious user could alter the highscore of several games.
Debian alert: New PostgreSQL packages fix several vulnerabilities
Mordred Labs and others found several vulnerabilities in PostgreSQL,
an object-relational SQL database. They are inherited from several
buffer overflows and integer overflows. Specially crafted long date
and time input, currency, repeat data and long timezone names could
cause the PostgreSQL server to crash as well as specially crafted
input data for lpad() and rpad(). More buffer/integer overflows were
found in circle_poly(), path_encode() and path_addr().
Mandrake alert: php update
A fifth parameter was added to PHP's mail() function in 4.0.5 that is not properly sanitized when the server is running in safe mode. This vulnerability would allow local users and, possibly, remote attackers to execute arbitrary commands using shell metacharacters. After upgrading to these packages, execute "service httpd restart" as root in order to close the hole immediately.
Debian alert: New cacti package fixes arbitrary code execution
A problem in cacti, a PHP based frontend to rrdtool for monitoring
systems and services, has been discovered. This could lead into cacti
executing arbitrary program code under the user id of the web server.
This problem, however, is only persistant to users who already have
administrator privileges in the cacti system.
Red Hat alert: Updated gaim client fixes URL vulnerability
Updated gaim packages are now available for Red Hat Powertools 7.
These updates fix a vulnerability in the URL handler.
Red Hat alert: Updated gaim client fixes URL vulnerability
Updated gaim packages are now available for Red Hat Linux 7.1, 7.2, and
7.3. These updates fix a vulnerability in the URL handler.
Mandrake alert: kdelibs update
A vulnerability was discovered in KDE's SSL implementation in that it does not check the basic constraints on a certificate and as a result may accept certificates as valid that were signed by an issuer who is not authorized to do so. This can lead to Konqueror and other SSL- enabled KDE software falling victim to a man-in-the-middle attack without being aware of the invalid certificate. This will trick users into thinking they are on a secure connection with a valid site when in fact the site is different from that which they intended to connect to. This is fixed in KDE 3.0.3, and the KDE team provided a patch for KDE 2.2.2. This patch has been applied to the following packages. After upgrading kdelibs, you must restart KDE in order for the fix to work.
Mandrake alert: krb5 update
The network authentication system in Kerberos 5 contains an RPC library that includes an XDR decoder derived from Sun's RPC implementation. This implemenation is vulnerable to a heap overflow. With Kerberos, it is believed that an attacker would need to be able to successfully authenticate to kadmin to be able to exploit this vulnerability.
Debian alert: New mhonarc packages fix cross site scripting problems
Jason Molenda and Hiromitsu Takagi found ways to exploit cross site
scripting bugs in mhonarc, a mail to HTML converter. When processing
maliciously crafted mails of type text/html, mhonarc, does not
deactivate all scripting parts properly. This is fixed in upstream
version 2.5.3.
Debian alert: New Python packages fix problem introduced by security fix
[The mail just sent was formatted like an attachment due to a
misconception on my side. This mail is only the clearsign version. ]
Red Hat alert: New wordtrans packages fix remote vulnerabilities
Updated wordtrans packages are now available for Red Hat Linux 7.3 which
fix remote vulnerabilities in wordtrans-web.
Debian alert: New ethereal packages fix buffer overflow
Ethereal developers discovered a buffer overflow in the ISIS protocol
dissector. It may be possible to make Ethereal crash or hang by
injecting a purposefully malformed packet onto the wire, or by
convincing someone to read a malformed packet trace file. It may be
possible to make Ethereal run arbitrary code by exploiting the buffer
and pointer problems.
Mandrake alert: gaim update
Versions of Gaim (an AOL instant message client) prior to 0.58 contain a buffer overflow in the Jabber plug-in module. As well, a vulnerability was discovered in the URL-handling code, where the "manual" browser command passes an untrusted string to the shell without reliable quoting or escaping. This allows an attacker to execute arbitrary commands on the user's machine with the user's permissions. Those using the built-in browser commands are not vulnerable. Update: The 8.1 package had an incorrect dependency on perl. This package has been replaced with a proper package. Please note the differing md5 sums.
« Previous ( 1 ... 7396 7397 7398 7399 7400 7401 7402 7403 7404 7405 7406 ... 7439 ) Next »