Showing all newswire headlines

View by date, instead?

« Previous ( 1 ... 7400 7401 7402 7403 7404 7405 7406 7407 7408 7409 7410 ... 7418 ) Next »

Red Hat alert: rpm-4.0.2 for all Red Hat platforms and releases.

  • Mailing list (Posted by dave on Mar 19, 2001 10:25 AM EDT)
  • Story Type: Security; Groups: Red Hat
A common version of rpm for all Red Hat distributions is being released. This version of rpm understands legacy version 3 packaging used in Red Hat 6.x/5.x distributions as well as version 4 packaging used in Red Hat 7.x. In addition, rpm-4.0.2 has support for both the legacy db1 format used in Red Hat 6.x/5.x databases as well as support for the db3 format database used in Red Hat 7.x

Red Hat alert: Updated sgml-tools packages fix insecure temporary file handling

  • Mailing list (Posted by dave on Mar 14, 2001 1:44 PM EDT)
  • Story Type: Security; Groups: Red Hat
Insecure handling of temporary file permissions could lead to other users on a multi-user system being able to read the documents being converted.

Red Hat alert: New mutt packages fix IMAP vulnerability/incompatibility

  • Mailing list (Posted by dave on Mar 14, 2001 1:15 PM EDT)
  • Story Type: Security; Groups: Red Hat
New mutt packages are available. These packages fix an instance of the common 'format string' vulnerability, and correct an incompatibilty with the current errata IMAP server. It is recommended that all mutt users using Red Hat Linux upgrade to the new packages. The version of mutt shipped in Red Hat Linux 7.0 does not contain the format string vulnerability; it is merely a bugfix update. Users of Red Hat Linux 6.0 and 6.1 should use the packages for Red Hat Linux 6.

Red Hat alert: buffer overflow in slrn

  • Mailing list (Posted by dave on Mar 14, 2001 1:15 PM EDT)
  • Story Type: Security; Groups: Red Hat
An overflow exists in the slrn pacakge as shipped in Red Hat Linux 7 and Red Hat Linux 6.x, which could possibly lead to remote users executing arbitrary code as the user running slrn. It is recommended that all users of slrn update to the fixed packages. Users of Red Hat Linux 6.0 or 6.1 should use the packages for Red Hat Linux 6.

Debian alert: mailx local exploit

  • Mailing list (Posted by dave on Mar 13, 2001 1:05 PM EDT)
  • Story Type: Security; Groups: Debian
The mail program (a simple tool to read and send email) as distributed with Debian GNU/Linux 2.2 has a buffer overflow in the input parsing code. Since mail is installed setgid mail by default this allowed local users to use it to gain access to mail group.

Debian alert: New Zope packages available

  • Mailing list (Posted by dave on Mar 9, 2001 12:49 AM EDT)
  • Story Type: Security; Groups: Debian
This advisory covers several vulnerabilities in Zope that have been addressed.

Debian alert: New XEmacs and gnuserv packages available

  • Mailing list (Posted by dave on Mar 8, 2001 11:51 PM EDT)
  • Story Type: Security; Groups: Debian
Klaus Frank has found a vulnerability in the way gnuserv handled remote connections. Gnuserv is a remote control facility for Emacsen which is available as standalone program as well as included in XEmacs21. Gnuserv has a buffer for which insufficient boundary checks were made. Unfortunately this buffer affected access control to gnuserv which is using a MIT-MAGIC-COOCKIE based system. It is possible to overflow the buffer containing the cookie and foozle cookie comparison.

Debian alert: joe local attack via joerc

  • Mailing list (Posted by dave on Mar 8, 2001 5:10 PM EDT)
  • Story Type: Security; Groups: Debian
Christer Öberg of Wkit Security AB found a problem in joe (Joe's Own Editor). joe will look for a configuration file in three locations: the current directory, the users homedirectory ($HOME) and in /etc/joe. Since the configuration file can define commands joe will run (for example to check spelling) reading it from the current directory can be dangerous: an attacker can leave a .joerc file in a writable directory, which would be read when a unsuspecting user starts joe in that directory.

Debian alert: slrn buffer overflow

  • Mailing list (Posted by dave on Mar 8, 2001 3:53 PM EDT)
  • Story Type: Security; Groups: Debian
Bill Nottingham reported a problem in the wrapping/unwrapping functions of the slrn newsreader. A long header in a message might overflow a buffer and which could result into executing arbitraty code encoded in the message.

Debian alert: proftp runs as root, /var symlink removal

  • Mailing list (Posted by dave on Mar 8, 2001 2:57 PM EDT)
  • Story Type: Security; Groups: Debian
This is an update to the DSA-032-1 advisory. The powerpc package that was listed in that advisory was unfortunately compiled on the wrong system which caused it to not work on a Debian GNU/Linux 2.2 system.

Debian alert: glibc local file overwrite problems

  • Mailing list (Posted by dave on Mar 8, 2001 8:46 AM EDT)
  • Story Type: Security; Groups: Debian
The version of GNU libc that was distributed with Debian GNU/Linux 2.2 suffered from 2 security problems:

Debian alert: New version of sgml-tools available

  • Mailing list (Posted by dave on Mar 7, 2001 4:52 PM EDT)
  • Story Type: Security; Groups: Debian
Former versions of sgml-tools created temporary files directly in /tmp in an insecure fashion. Version 1.0.9-15 and higher create a subdirectory first and open temporary files within that directory.

Debian alert: New versions of Athena Widget replacement libraries available

  • Mailing list (Posted by dave on Mar 7, 2001 1:55 PM EDT)
  • Story Type: Security; Groups: Debian
It has been reported that the AsciiSrc and MultiSrc widget in the Athena widget library handle temporary files insecurely. Joey Hess has ported the bugfix from XFree86 to these Xaw replacements libraries.

Debian alert: New version of Midnight Commander available

  • Mailing list (Posted by dave on Mar 7, 2001 11:56 AM EDT)
  • Story Type: Security; Groups: Debian
It has been reported that a local user could tweak Midnight Commander of another user into executing a random program under the user id of the person running Midnight Commander. This behaviour has been fixed by Andrew V. Samoilov.

Debian alert: New version of man2html available

  • Mailing list (Posted by dave on Mar 7, 2001 10:39 AM EDT)
  • Story Type: Security; Groups: Debian
It has been reported that one can tweak man2html remotely into consuming all available memory. This has been fixed by Nicolás Lichtmaier with help of Stephan Kulow.

Debian alert: New version of ePerl packages available

  • Mailing list (Posted by dave on Mar 7, 2001 7:20 AM EDT)
  • Story Type: Security; Groups: Debian
Fumitoshi Ukai and Denis Barbier have found several potential buffer overflow bugs in our version of ePerl as distributed in all of our distributions.

Debian alert: New versions of analog available

  • Mailing list (Posted by dave on Mar 7, 2001 4:34 AM EDT)
  • Story Type: Security; Groups: Debian
The author of analog, Stephen Turner, has found a buffer overflow bug in all versions of analog except of version 4.16. A malicious user could use an ALIAS command to construct very long strings which were not checked for length and boundaries. This bug is particularly dangerous if the form interface (which allows unknown users to run the program via a CGI script) has been installed. There doesn't seem to be a known exploit.

Debian alert: proftp runs as root, /var symlink removal

  • Mailing list (Posted by dave on Mar 6, 2001 4:34 PM EDT)
  • Story Type: Security; Groups: Debian
The following problems have been reported for the version of proftpd in Debian 2.2 (potato):

Debian alert: New sudo packages for powerpc available

  • Mailing list (Posted by dave on Mar 5, 2001 5:15 PM EDT)
  • Story Type: Security; Groups: Debian
Todd Miller announced a new version of sudo which corrects a buffer overflow that could potentially be used to gain root privilages on the local system. This bugfix has been backported to the version which was used in Debian GNU/Linux 2.2.

Debian alert: New proftpd packages for m68k available

  • Mailing list (Posted by dave on Mar 5, 2001 5:14 PM EDT)
  • Story Type: Security; Groups: Debian
In Debian Security Advisory DSA 029-1 we have reported several vulnerabilities in proftpd that have been fixed. For details please read the main advisory. This upload fixes:

« Previous ( 1 ... 7400 7401 7402 7403 7404 7405 7406 7407 7408 7409 7410 ... 7418 ) Next »