Showing all newswire headlines

View by date, instead?

« Previous ( 1 ... 7396 7397 7398 7399 7400 7401 7402 7403 7404 7405 7406 ... 7439 ) Next »

SuSE alert: Slapper worm

  • Mailing list (Posted by dave on Sep 19, 2002 10:48 AM EDT)
  • Story Type: Security; Groups: SUSE
This advisory is issued in an attempt to clarify any issues surrounding the recently discovered Apache/mod_ssl worm.

Debian alert: New PHP packages fix several vulnerabilities

  • Mailing list (Posted by dave on Sep 18, 2002 5:40 AM EDT)
  • Story Type: Security; Groups: Debian
Wojciech Purczynski found out that it is possible for scripts to pass arbitrary text to sendmail as commandline extension when sending a mail through PHP even when safe_mode is turned on. Passing 5th argument should be disabled if PHP is configured in safe_mode, which is the case for newer PHP versions and for the versions below. This does not affect PHP3, though.

SuSE alert: xf86

  • Mailing list (Posted by dave on Sep 18, 2002 2:53 AM EDT)
  • Story Type: Security; Groups: SUSE
The xf86 package contains various libraries and programs which are fundamental for the X server to function. The libX11.so library from this package dynamically loads other libraries where the pathname is controlled by the user invoking the program linked against libX11.so. Unfortunately, libX11.so also behaves the same way when linked against setuid programs. This behavior allows local users to execute arbitrary code under a different UID which can be the root-UID in the worst case. libX11.so has been fixed to check for calls from setuid programs. It denies loading of user controlled libraries in this case. We recommend an update in any case since there is no easy workaround possible except removing the setuid bit from any program linked against libX11.so.

Debian alert: Multiple OpenSSL problems (update)

  • Mailing list (Posted by dave on Sep 17, 2002 6:16 AM EDT)
  • Story Type: Security; Groups: Debian
There was an error in the original openssl094 packages, resulting in an incomplete fix. This error has been corrected in 0.9.4-6.potato.2 and 0.9.4-6.woody.2. We recommend that you upgrade your openssl094 packages immediately. i386 packages are available at this time, and packages will be available shortly for other architectures. Note that the openssl 0.9.5a and 0.9.6 updates were not affected by this error.

Debian alert: New kdelibs fix cross site scripting bug

  • Mailing list (Posted by dave on Sep 16, 2002 5:10 AM EDT)
  • Story Type: Security; Groups: Debian
A cross site scripting problem has been discovered in Konquerer, a famous browser for KDE and other programs using KHTML. The KDE team reports that Konqueror's cross site scripting protection fails to initialize the domains on sub-(i)frames correctly. As a result, Javascript is able to access any foreign subframe which is defined in the HTML source. Users of Konqueror and other KDE software that uses the KHTML rendering engine may become victim of a cookie stealing and other cross site scripting attacks.

Debian alert: Multiple OpenSSL problems (update)

  • Mailing list (Posted by dave on Sep 15, 2002 7:11 PM EDT)
  • Story Type: Security; Groups: Debian
Note: this advisory is an update to DSA-136-1, issued 30 Jul 2002. It includes ASN1 updates in the woody packages, plus the potato packages which were not initially available.

Red Hat alert: Updated ethereal packages available

  • Mailing list (Posted by dave on Sep 13, 2002 11:10 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated ethereal packages are available for Red Hat Powertools 6.2, 7, and 7.1. These packages are required for the Red Hat Security Advisory regarding applications linked against the old ucd-snmp libraries and also fix other security issues in ethereal.

Debian alert: New purity packages fix potential buffer overflows

  • Mailing list (Posted by dave on Sep 13, 2002 6:10 AM EDT)
  • Story Type: Security; Groups: Debian
Two buffer overflows have been discovered in purity, a game for nerds and hackers, which is installed setgid games on a Debian system. This problem could be exploited to gain unauthorized access to the group games. A malicious user could alter the highscore of several games.

Debian alert: New PostgreSQL packages fix several vulnerabilities

  • Mailing list (Posted by dave on Sep 12, 2002 6:58 AM EDT)
  • Story Type: Security; Groups: Debian
Mordred Labs and others found several vulnerabilities in PostgreSQL, an object-relational SQL database. They are inherited from several buffer overflows and integer overflows. Specially crafted long date and time input, currency, repeat data and long timezone names could cause the PostgreSQL server to crash as well as specially crafted input data for lpad() and rpad(). More buffer/integer overflows were found in circle_poly(), path_encode() and path_addr().

Mandrake alert: php update

A fifth parameter was added to PHP's mail() function in 4.0.5 that is not properly sanitized when the server is running in safe mode. This vulnerability would allow local users and, possibly, remote attackers to execute arbitrary commands using shell metacharacters. After upgrading to these packages, execute "service httpd restart" as root in order to close the hole immediately.

Debian alert: New cacti package fixes arbitrary code execution

  • Mailing list (Posted by dave on Sep 10, 2002 5:39 AM EDT)
  • Story Type: Security; Groups: Debian
A problem in cacti, a PHP based frontend to rrdtool for monitoring systems and services, has been discovered. This could lead into cacti executing arbitrary program code under the user id of the web server. This problem, however, is only persistant to users who already have administrator privileges in the cacti system.

Red Hat alert: Updated gaim client fixes URL vulnerability

  • Mailing list (Posted by dave on Sep 10, 2002 1:01 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated gaim packages are now available for Red Hat Powertools 7. These updates fix a vulnerability in the URL handler.

Red Hat alert: Updated gaim client fixes URL vulnerability

  • Mailing list (Posted by dave on Sep 10, 2002 1:00 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated gaim packages are now available for Red Hat Linux 7.1, 7.2, and 7.3. These updates fix a vulnerability in the URL handler.

Mandrake alert: kdelibs update

A vulnerability was discovered in KDE's SSL implementation in that it does not check the basic constraints on a certificate and as a result may accept certificates as valid that were signed by an issuer who is not authorized to do so. This can lead to Konqueror and other SSL- enabled KDE software falling victim to a man-in-the-middle attack without being aware of the invalid certificate. This will trick users into thinking they are on a secure connection with a valid site when in fact the site is different from that which they intended to connect to. This is fixed in KDE 3.0.3, and the KDE team provided a patch for KDE 2.2.2. This patch has been applied to the following packages. After upgrading kdelibs, you must restart KDE in order for the fix to work.

Mandrake alert: krb5 update

The network authentication system in Kerberos 5 contains an RPC library that includes an XDR decoder derived from Sun's RPC implementation. This implemenation is vulnerable to a heap overflow. With Kerberos, it is believed that an attacker would need to be able to successfully authenticate to kadmin to be able to exploit this vulnerability.

Debian alert: New mhonarc packages fix cross site scripting problems

  • Mailing list (Posted by dave on Sep 9, 2002 9:05 AM EDT)
  • Story Type: Security; Groups: Debian
Jason Molenda and Hiromitsu Takagi found ways to exploit cross site scripting bugs in mhonarc, a mail to HTML converter. When processing maliciously crafted mails of type text/html, mhonarc, does not deactivate all scripting parts properly. This is fixed in upstream version 2.5.3.

Debian alert: New Python packages fix problem introduced by security fix

  • Mailing list (Posted by dave on Sep 9, 2002 7:31 AM EDT)
  • Story Type: Security; Groups: Debian
[The mail just sent was formatted like an attachment due to a misconception on my side. This mail is only the clearsign version. ]

Red Hat alert: New wordtrans packages fix remote vulnerabilities

  • Mailing list (Posted by dave on Sep 9, 2002 5:36 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated wordtrans packages are now available for Red Hat Linux 7.3 which fix remote vulnerabilities in wordtrans-web.

Debian alert: New ethereal packages fix buffer overflow

  • Mailing list (Posted by dave on Sep 6, 2002 6:22 AM EDT)
  • Story Type: Security; Groups: Debian
Ethereal developers discovered a buffer overflow in the ISIS protocol dissector. It may be possible to make Ethereal crash or hang by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. It may be possible to make Ethereal run arbitrary code by exploiting the buffer and pointer problems.

Mandrake alert: gaim update

Versions of Gaim (an AOL instant message client) prior to 0.58 contain a buffer overflow in the Jabber plug-in module. As well, a vulnerability was discovered in the URL-handling code, where the "manual" browser command passes an untrusted string to the shell without reliable quoting or escaping. This allows an attacker to execute arbitrary commands on the user's machine with the user's permissions. Those using the built-in browser commands are not vulnerable. Update: The 8.1 package had an incorrect dependency on perl. This package has been replaced with a proper package. Please note the differing md5 sums.

« Previous ( 1 ... 7396 7397 7398 7399 7400 7401 7402 7403 7404 7405 7406 ... 7439 ) Next »