Showing all newswire headlines

Updated webalizer packages are available which fix a security problem and some minor bugs.

The squid proxy server can be crashed with a malformed request, resulting in a denial of service attack. After the crash, the squid proxy must be restarted. The weakness can only be triggered from an address that is allowed to send requests, as configured in the squid configuration file.

When used in a spooling environment, it is inappropriate to allow programs to read arbitrary files as a result of print requests. Ghostscript, a postscript interpreter, can read arbitrary system files with the same permissions as the print spooler, potentially exposing the system to an information compromise.

Two security related problems have been found in both the 2.2 and 2.4 series kernels:

Updated mod_auth_pgsql packages are now available for Red Hat Linux 7.

Updated mod_auth_pgsql packages are now available for Red Hat Linux 7.

ht://Dig is a powerfull indexing and information gathering tool for the web. ht://Dig's search engine htsearch could be run by a http server as CGI program or standalone as commandline tool. Due to insufficient checking of the running environment it is possible to use commandline options via CGI. An remote attacker could use the -c option to specify /dev/zero as an alternate config file to causes a denial of service for some minutes. To read files with the privilege of the http server by abusing the -c option an attacker needs write access to the server running htsearch.

Multiple Linux vendors have issued security announcements about failures of the /bin/login program to properly initialize the privileges of an authenticated user if the PAM module pam_limits is enabled. The bug has been categorized as a sequence bug, and is located in the code of the login program itself: A call to getpwnam(3) returns a pointer to a struct passwd, and the data is being used. Then, a call to PAM routines cause getpwnam(3) to be called again, but beyond the programmer's control or knowledge. The pointer as returned by the first getpwnam(3) remains the same, but the data may be different. By consequence, the data is in an undefined state. The error appears with the pam_limits PAM module only because other PAM modules do not call getpwnam(3).

A vulnerability has been found in the ptrace code of the kernel (ptrace is the part that allows program debuggers to run) that could be abused by local users to gain root privileges. 2001-10-22: Kernel updates are now available for Red Hat Linux 7.

Red Hat, Inc. (NASDAQ:RHAT) today announced that Red Hat Linux 7.2 and Red Hat Linux Professional are now available in stores, through computer resellers and direct from Red Hat. The latest version of the market leading Linux distribution adds significant new capabilities, both for use as a workstation and use as a server. Red Hat Linux 7.2 and Red Hat Linux Professional will also be available through hardware partners in the coming weeks.

New squid packages are available that fix a potential DoS in Squid's FTP handling code. It is recommened that squid users update to the fixed packages. The packages for Red Hat Linux 6.2 also fix the problem described in RHSA-2001:097-04; it was later discovered that Red Hat Linux 6.2 is vulnerable to the same problem in accelerator-only mode. 2001-10-22: Packages are now available for Red Hat Linux 7.

New squid packages are available that fix a potential DoS in Squid's FTP handling code. It is recommened that squid users update to the fixed packages. The packages for Red Hat Linux 6.2 also fix the problem described in RHSA-2001:097-04; it was later discovered that Red Hat Linux 6.2 is vulnerable to the same problem in accelerator-only mode. 2001-10-22: Packages are now available for Red Hat Linux 7.

New util-linux packages are available that fix a problem with /bin/login's PAM implementation. This could, in some non-default setups, cause users to receive credentials of other users. It is recommended that all users update to the fixed packages. 2001-10-22: Packages are now available for Red Hat Linux 7.

Updated openssh packages are now available for Red Hat Linux 7 and 7.1. These packages fix a vulnerability which may allow unauthorized users to log in from hosts that have been denied access. 2001-10-22: Pacakges are now available for Red Hat Linux 7.

New util-linux packages are available that fix a problem with /bin/login's PAM implementation. This could, in some non-default setups, cause users to receive credentials of other users. It is recommended that all users update to the fixed packages. 2001-10-22: Packages are now available for Red Hat Linux 7.

Updated openssh packages are now available for Red Hat Linux 7 and 7.1. These packages fix a vulnerability which may allow unauthorized users to log in from hosts that have been denied access. 2001-10-22: Pacakges are now available for Red Hat Linux 7.

Takeshi Uno found a very stupid format string vulnerability in all versions of nvi (in both, the plain and the multilingualized version). When a filename is saved, it ought to get displayed on the screen. The routine handling this didn't escape format strings.

Updated diffutils packages are now available, fixing a temporary file handling vulnerability in the sdiff program.

A vulnerability has been found in the ptrace code of the kernel (ptrace is the part that allows program debuggers to run) that could be abused by local users to gain root privileges.

A vulnerability has been found in the ptrace code of the kernel (ptrace is the part that allows program debuggers to run) that could be abused by local users to gain root privileges.