Showing all newswire headlines

New umb-scheme packages are available for Red Hat Linux 6.2 that fix a problem with file permissions.

Updated perl and mailx package are now available which fix a potential exploit made possible by incorrect assumptions made in suidperl.

This notice addresses the latest security advisories from various Linux Vendors as well as private contributors.

The versions of the ISC DHCP client in debian 2.1 (slink) and debian 2.2 (potato) are vulnerable to a root exploit. The OpenBSD team reports that the client inappropriately executes commands embedded in replies sent from a dhcp server. This means that a malicious dhcp server can execute commands on the client with root privilages. A previous Debian security advisory addressed this issue with package versions 2.0b1pl6-0.3 and 2.0-3potato1, but ISC has released a newer patch since the original advisory. You should install the latest packages even if you upgraded when the last advisory was released.

The version of userv that was distributed with Debian GNU/Linux 2.1 / slink had a problem in the fd swapping algorithm: it could sometimes make an out-of-bounds array reference. It might be possible for local users to abuse this to carry out unauthorised actions or be able to take control for service user accounts.

This is an updated of RHSA-2000:043 that contains further upgrade instructions. The rpc.statd daemon in the nfs-utils package shipped in Red Hat Linux 6.0, 6.1, and 6.2 contains a flaw that could lead to a remote root break-in.

This is an updated of RHSA-2000:043 that contains further upgrade instructions. The rpc.statd daemon in the nfs-utils package shipped in Red Hat Linux 6.0, 6.1, and 6.2 contains a flaw that could lead to a remote root break-in.

The standard ftp server does directly pass untrusted data from a DNS server to the setproctitle() function in a unsecure manner.

The version of nfs-common distributed in Debian GNU/Linux 2.2 (a.k.a potato), as well as in the unstable (woody) distribution, is vulnerable to a remote root compromise. No exploit is known to exist in the wild, but the vulnerability has been verified. This has been fixed in version 0.1.9.1-1 of the nfs-common package. We recommend that you update nfs-common immediately.

The versions of cvsweb distributed in Debian GNU/Linux 2.1 (aka slink) as well as in the frozen (potato) and unstable (woody) distributions, are vulnerable to a remote shell exploit. An attacker with write access to the cvs repository can execute arbitrary code on the server, as the www-data user.

The client side program of the ISC DHCP package, dhclient, does not do quoting of server messages before passing them to /sbin/dhclient-script. This script is executed with root privileges.

Tnef extracts eMails compressed with MS-Outlook. The compressed file includes the path name to which the decompressed data should be written.

a few days ago a /tmp race condition bug in the makewhatis program was posted on bugtraq. We are NOT vulnerable by this bug, because we use different code, which doesn't touch /tmp in a unsecure way.

The makewhatis portion of the man package used files in /tmp in an insecure fashion. It was possible for local users to exploit this vulnerability to modify files that they normally could not and gain elevated privilege.

The canna package as distributed in Debian GNU/Linux 2.1 can be remotely exploited to gain access. This could be done by overflowing a buffer by sending a SR_INIT command with a very long usernamd or groupname.

The versions of the ISC DHCP client in debian 2.1 (slink) and debian 2.2 (potato) are vulnerable to a root exploit. The OpenBSD team reports that the client inappropriately executes commands embedded in replies sent from a dhcp server. This means that a malicious dhcp server can execute commands on the client with root privilages.

alot of customers report problems after updateing the kernel. Please, execute 'mk_initrd' and 'lilo' after upgrading the kernel.

A remote exploit has been found in the FTP daemon, wu-ftpd. This can allow an attacker full access to your machine.

The implementation of the capability feature of the kernel

The wu-ftp FTP server does not do proper bounds checking while processing the SITE EXEC command.