Showing all newswire headlines

View by date, instead?

« Previous ( 1 ... 7402 7403 7404 7405 7406 7407 7408 7409 7410 7411 7412 ... 7439 ) Next »

Red Hat alert: Ghostscript command execution vulnerability

  • Mailing list (Posted by dave on Jun 4, 2002 11:39 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated packages are available for GNU Ghostscript which fix a vulnerability found during Postscript interpretation.

Red Hat alert: Updated bind packages fix denial of service attack

  • Mailing list (Posted by dave on Jun 4, 2002 11:35 AM EDT)
  • Story Type: Security; Groups: Red Hat
Version 9 of the bind name prior to version 9.

Red Hat alert: Updated xchat packages fix /dns vulnerability

  • Mailing list (Posted by dave on Jun 4, 2002 11:24 AM EDT)
  • Story Type: Security; Groups: Red Hat
A security issue in XChat allows a malicious server to execute arbitrary commands.

Mandrake alert: bind update

A vulnerability was discovered in the BIND9 DNS server in versions prior to 9.2.1. An error condition will trigger the shutdown of the server when the rdataset parameter to the dns_message_findtype() function in message.c is not NULL as expected. This condition causes the server to assert an error message and shutdown the BIND server. The error condition can be remotely exploited by a special DNS packet. This can only be used to create a Denial of Service on the server; the error condition is correctly detected, so it will not allow an attacker to execute arbitrary code on the server.

Red Hat alert: Updated nss_ldap packages fix pam_ldap vulnerability

  • Mailing list (Posted by dave on Jun 4, 2002 12:36 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated nss_ldap packages are now available for Red Hat Linux 6.2, 7, 7.1, 7.2, and 7.3. These packages fix a string format vulnerability in the pam_ldap module. [Update Jun 4, 2002] Replacement packages have been added for Red Hat Linux 6.

Debian alert: memory allocation error in ethereal

  • Mailing list (Posted by dave on Jun 1, 2002 5:37 AM EDT)
  • Story Type: Security; Groups: Debian
Ethereal versions prior to 0.9.3 were vulnerable to an allocation error in the ASN.1 parser. This can be triggered when analyzing traffic using the SNMP, LDAP, COPS, or Kerberos protocols in ethereal. This vulnerability was announced in the ethereal security advisory enpa-sa-00003 and has been given the proposed CVE id of CAN-2002-0353. This issue has been corrected in ethereal version 0.8.0-3potato for Debian 2.2 (potato).

Debian alert: in.uucpd string truncation problem

  • Mailing list (Posted by dave on Jun 1, 2002 4:56 AM EDT)
  • Story Type: Security; Groups: Debian
We have received reports that in.uucpd, an authentication agent in the uucp package, does not properly terminate certain long input strings. This has been corrected in uucp package version 1.06.1-11potato3 for Debian 2.2 (potato) and in version 1.06.1-18 for the upcoming (woody) release.

Mandrake alert: dhcp update

Fermin J. Serna discovered a problem in the dhcp server and client package from versions 3.0 to 3.0.1rc8, which are affected by a format string vulnerability that can be exploited remotely.

Red Hat alert: Updated tcpdump packages fix buffer overflow

  • Mailing list (Posted by dave on May 30, 2002 4:52 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated tcpdump, libpcap, and arpwatch packages are available for Red Hat Linux 6.2 and 7.x. These updates close a buffer overflow when handling NFS packets.

Mandrake alert: dhcp update

Fermin J. Serna discovered a problem in the dhcp server and client package from versions 3.0 to 3.0.1rc8, which are affected by a format string vulnerability that can be exploited remotely. By default, these versions of DHCP are compiled with the dns update feature enabled, which allows DHCP to update DNS records. The code that logs this update has an exploitable format string vulnerability; the update message can contain data provided by the attacker, such as a hostname. A successful exploitation could give the attacker elevated privileges equivalent to the user running the DHCP daemon, which is the user dhcpd in Mandrake Linux 8.x, but root in earlier versions.

SuSE alert: tcpdump/libpcap

  • Mailing list (Posted by dave on May 29, 2002 4:23 AM EDT)
  • Story Type: Security; Groups: SUSE
The tcpdump program may be used to capture and decode network traffic. Tcpdump decodes certain packets such as AFS requests in a wrong way resulting in a buffer overflow. Since running tcpdump requires root privileges this may lead to a root compromise of the system running tcpdump. We strongly recommend an update for administrators using tcpdump to monitor their networks since the only safe workaround is to not use it at all. Additionally to the fixed tcpdump packages we provide new libpcap packages. Libpcap on which most network monitoring programs rely also contained overflows which however are only exploitable by local attackers if you installed programs using libpcap setuid. This is not found in a default install. More information about tcpdump and libpcap may be found at http://www.tcpdump.org

Mandrake alert: fetchmail update

A problem was discovered with versions of fetchmail prior to 5.9.10 that was triggered by retreiving mail from an IMAP server. The fetchmail client will allocate an array to store the sizes of the messages it is attempting to retrieve. This array size is determined by the number of messages the server is claiming to have, and fetchmail would not check whether or not the number of messages the server was claiming was too high. This would allow a malicious server to make the fetchmail process write data outside of the array bounds.

Mandrake alert: perl-Digest-MD5 update

A bug exists in the UTF8 interaction between the perl-Digest-MD5 module and perl that results in UTF8 strings having improper MD5 digests. The 2.20 version of the module corrects this problem.

Mandrake alert: imap update

A buffer overflow was discovered in the imap server that could allow a malicious user to run code on the server with the uid and gid of the email owner by constructing a malformed request that would trigger the buffer overflow. However, the user must successfully authenticate to the imap service in order to exploit it, which limits the scope of the vulnerability somewhat, unless you are a free mail provider or run a mail service where users do not already have shell access to the system.

Red Hat alert: Updated nss_ldap packages fix pam_ldap vulnerability

  • Mailing list (Posted by dave on May 26, 2002 11:56 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated nss_ldap packages are now available for Red Hat Linux 6.2, 7.0, 7.1,7.2, and 7.3. These packages fix a string format vulnerability in the pam_ldap module.

Red Hat alert: Buffer overflow in UW imap daemon

  • Mailing list (Posted by dave on May 24, 2002 11:00 AM EDT)
  • Story Type: Security; Groups: Red Hat
The UW imap daemon contains a buffer overflow which allows a logged in, remote user to execute commands on the server with the user's UID/GID.

Red Hat alert: Buffer overflow in UW imap daemon

  • Mailing list (Posted by dave on May 24, 2002 11:00 AM EDT)
  • Story Type: Security; Groups: Red Hat
The UW imap daemon contains a buffer overflow which allows a logged in, remote user to execute commands on the server with the user's UID/GID.

SuSE alert: dhcp/dhcp-server

  • Mailing list (Posted by dave on May 22, 2002 8:55 AM EDT)
  • Story Type: Security; Groups: SUSE
The "Dynamic Host Configuration Protocol" (DHCP) server from the Internet Software Consortium allows hosts on a TCP/IP network to request and be assigned IP addresses, and also to discover information about the network to which they are attached.

Mandrake alert: webmin update

A vulnerability exists in all versions of Webmin prior to 0.970 that allows a remote attacker to login to Webmin as any user. All users of Webmin are encouraged to upgrade immediately. Users of Mandrake Linux 8.0 and earlier will need to install some additional perl modules for this new version of webmin to work correctly.

Red Hat alert: Updated fetchmail packages available

  • Mailing list (Posted by dave on May 21, 2002 5:16 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated fetchmail packages are available for Red Hat Linux 6.2, 7, 7.1, 7.2, and 7.3 which close a remotely-exploitable vulnerability in unpatched versions of fetchmail prior to 5.9.10.

« Previous ( 1 ... 7402 7403 7404 7405 7406 7407 7408 7409 7410 7411 7412 ... 7439 ) Next »