Showing all newswire headlines

View by date, instead?

« Previous ( 1 ... 7398 7399 7400 7401 7402 7403 7404 7405 7406 7407 7408 ... 7439 ) Next »

Red Hat alert: Updated bugzilla packages fix security issues

  • Mailing list (Posted by dave on Aug 20, 2002 10:44 AM EDT)
  • Story Type: Security; Groups: Red Hat
A number of security-related bugs have been found in Bugzilla version

Red Hat alert: New PHP packages fix vulnerability in safemode

  • Mailing list (Posted by dave on Aug 20, 2002 7:23 AM EDT)
  • Story Type: Security; Groups: Red Hat
PHP versions earlier than 4.1.0 contain a vulnerability that could allow arbitrary commands to be executed.

Debian alert: New mantis package fixes several vulnerabilities

  • Mailing list (Posted by dave on Aug 20, 2002 7:08 AM EDT)
  • Story Type: Security; Groups: Debian
Jeroen Latour pointed out that we missed one uninitialized variable in DSA 153-1, which was insecurely used with file inclusions in the Mantis package, a php based bug tracking system. When such occasions are exploited, a remote user is able to execute arbitrary code under the webserver user id on the web server hosting the mantis system.

Red Hat alert: Updated libpng packages fix buffer overflow

  • Mailing list (Posted by dave on Aug 19, 2002 12:22 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated libpng packages are available that fix a buffer overflow vulnerability.

Debian alert: New fam packages fix privilege escalation

  • Mailing list (Posted by dave on Aug 16, 2002 10:09 AM EDT)
  • Story Type: Security; Groups: Debian
A flaw was discovered in FAM's group handling. In the effect users are unable to FAM directories they have group read and execute permissions on. However, also unprivileged users can potentially learn names of files that only users in root's group should be able to view.

Red Hat alert: Updated krb5 packages fix remote buffer overflow

  • Mailing list (Posted by dave on Aug 15, 2002 1:02 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated Kerberos 5 packages are now available for Red Hat LInux 6.2, 7, 7.1, 7.2, and 7.3. These updates fix a buffer overflow in the XDR decoder.

Mandrake alert: bind update

A vulnerability was discovered in the BIND9 DNS server in versions prior to 9.2.1.

Mandrake alert: sharutils update

The uudecode utility creates output files without checking to see if it is about to write to a symlink or pipe. This could be exploited by a local attacker to overwrite files or lead to privilege escalation if users decode data into share directories, such as /tmp. This update fixes this vulnerability by checking to see if the destination output file is a symlink or pipe.

Mandrake alert: xchat update

In versions of the xchat IRC client prior to version 1.8.9, xchat does not filter the response from an IRC server when a /dns query is executed. xchat resolves hostnames by passing the configured resolver and hostname to a shell, so an IRC server may return a malicious response formatted so that arbitrary commands are executed with the privilege of the user running xchat.

Debian alert: New mantis package fixes cross site code execution

  • Mailing list (Posted by dave on Aug 14, 2002 5:33 AM EDT)
  • Story Type: Security; Groups: Debian
Joao Gouveia discovered an uninitialized variable which was insecurely used with file inclusions in the mantis package, a php based bug tracking system. The Debian Security Team found even more similar problems. When these occasions are exploited, a remote user is able to execute arbitrary code under the webserver user id on the web server hosting the mantis system.

Mandrake alert: libpng update

A buffer overflow was found in the in the progressive reader of the PNG library when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. These deliberately malformed datastreams would crash applications thus potentially allowing an attacker to execute malicious code. Many programs make use of the PNG libraries, including web browsers. This overflow is corrected in versions 1.0.14 and 1.2.4 of the PNG library. In order to have the system utilize the upgraded packages after the upgrade, you must restart all running applications that are linked to libpng. You can obtain this list by executing "lsof|grep libpng" or "fuser -v /usr/lib/libpng.so".

Mandrake alert: glibc update

A buffer overflow vulnerability was found in the way that the glibc resolver handles the resolution of network names and addresses via DNS in glibc versions 2.2.5 and earlier. Only systems using the "dns" entry in the "networks" database in /etc/nsswitch.conf are vulnerable to this issue. By default, Mandrake Linux has this database set to "files" and is not vulnerable. Likewise, a similar bug is in the glibc-compat packages which provide compatability for programs compiled against 2.0.x versions of glibc.

Debian alert: New l2tpd packages adds better randomization

  • Mailing list (Posted by dave on Aug 13, 2002 11:16 AM EDT)
  • Story Type: Security; Groups: Debian
Current versions of l2tpd, a layer 2 tunneling client/server program, forgot to initialize the random generator which made it vulnerable since all generated random number were 100% guessable. When dealing with the size of the value in an attribute value pair, too many bytes were able to be copied, which could lead into the vendor field being overwritten.

Debian alert: New xinetd packages fix local denial of service

  • Mailing list (Posted by dave on Aug 13, 2002 10:38 AM EDT)
  • Story Type: Security; Groups: Debian
Solar Designer found a vulnerability in xinetd, a replacement for the BSD derived inetd. File descriptors for the signal pipe introduced in version 2.3.4 are leaked into services started from xinetd. The descriptors could be used to talk to xinetd resulting in crashing it entirely. This is usually called a denial of service.

Debian alert: New interchange packages fix illegal file exposition

  • Mailing list (Posted by dave on Aug 13, 2002 8:32 AM EDT)
  • Story Type: Security; Groups: Debian
A problem has been discovered in Interchange, an e-commerce and general HTTP database display system, which can lead to an attacker being able to read any file to which the user of the Interchange daemon has sufficient permissions, when Interchange runs in "INET mode" (internet domain socket). This is not the default setting in Debian packages, but configurable with Debconf and via configuration file. We also believe that this bug cannot exploited on a regular Debian system.

Debian alert: New glibc packages fix security related problems

  • Mailing list (Posted by dave on Aug 13, 2002 12:21 AM EDT)
  • Story Type: Security; Groups: Debian
An integer overflow bug has been discovered in the RPC library used by GNU libc, which is derived from the SunRPC library. This bug could be exploited to gain unauthorized root access to software linking to this code. The packages below also fix integer overflows in the malloc code. They also contain a fix from Andreas Schwab to reduce linebuflen in parallel to bumping up the buffer pointer in the NSS DNS code.

Red Hat alert: Updated glibc packages fix vulnerabilities in RPC XDR decoder

  • Mailing list (Posted by dave on Aug 12, 2002 9:11 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated glibc packages are available to fix a buffer overflow in the XDR decoder.

Red Hat alert: Updated Tcl/Tk packages fix local vulnerability

  • Mailing list (Posted by dave on Aug 12, 2002 11:39 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated Tcl/Tk packages for Red Hat Linux 7 and 7.1 fix two local vulnerabilities.

SuSE alert: i4l

  • Mailing list (Posted by dave on Aug 12, 2002 2:22 AM EDT)
  • Story Type: Security; Groups: SUSE
The i4l package contains several programs for ISDN maintenance and connectivity on Linux. The ipppd program which is part of the package contained various buffer overflows and format string bugs. Since ipppd is installed setuid to root and executable by users of group 'dialout' this may allow attackers with appropriate group membership to execute arbitrary commands as root. The i4l package is installed by default and also vulnerable if you do not have a ISDN setup. The buffer overflows and format string bugs have been fixed. We strongly recommend an update of the i4l package. If you do not consider updating the package it is also possible to remove the setuid bit from /usr/sbin/ipppd as a temporary workaround. The SuSE Security Team is aware of a published exploit for ipppd that gives a local attacker root privileges so you should either update the package or remove the setuid bit from ipppd.

Debian alert: New hylafax packages fix security related problems

  • Mailing list (Posted by dave on Aug 11, 2002 11:53 PM EDT)
  • Story Type: Security; Groups: Debian
A set of problems have been discovered in Hylafax, a flexible client/server fax software distributed with many GNU/Linux distributions. Quoting SecurityFocus the problems are in detail:

« Previous ( 1 ... 7398 7399 7400 7401 7402 7403 7404 7405 7406 7407 7408 ... 7439 ) Next »