Showing all newswire headlines

View by date, instead?

« Previous ( 1 ... 7420 7421 7422 7423 7424 7425 7426 7427 7428 7429 7430 ... 7469 ) Next »

Mandrake alert: Updated apache packages fix multiple vulnerabilities

A number of vulnerabilities were discovered in Apache versions prior to 1.3.27. The first is regarding the use of shared memory (SHM) in Apache. An attacker that is able to execute code as the UID of the webserver (typically "apache") is able to send arbitrary processes a USR1 signal as root. Using this vulnerability, the attacker can also cause the Apache process to continously span more children processes, thus causing a local DoS. Another vulnerability was discovered by Matthew Murphy regarding a cross site scripting vulnerability in the standard 404 error page. Finally, some buffer overflows were found in the "ab" benchmark program that is included with Apache.

Debian alert: Multiple MySQL vulnerabilities

  • Mailing list (Posted by dave on Dec 17, 2002 2:55 AM EDT)
  • Story Type: Security; Groups: Debian
While performing an audit of MySQL e-matters found several problems:

Red Hat alert: Updated Net-SNMP packages fix security and other bugs

  • Mailing list (Posted by dave on Dec 17, 2002 1:09 AM EDT)
  • Story Type: Security; Groups: Red Hat
The Net-SNMP packages shipped with Red Hat Linux 8.0 contain several bugs including a remote denial of service vulnerability. This errata release corrects those problems.

Red Hat alert: Updated Fetchmail packages fix security vulnerability

  • Mailing list (Posted by dave on Dec 17, 2002 12:20 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated Fetchmail packages are available for Red Hat Linux versions 6.2, 7, 7.1, 7.2, 7.3, and 8.0 which close a remotely-exploitable vulnerability in unpatched versions of Fetchmail prior to 6.

Debian alert: New mICQ packages fix denial of service

  • Mailing list (Posted by dave on Dec 13, 2002 6:26 AM EDT)
  • Story Type: Security; Groups: Debian
Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client, discovered a problem in mICQ. Receiving certain ICQ message types that do not contain the required 0xFE seperator causes all versions to crash.

Debian alert: lynx CRLF injection

  • Mailing list (Posted by dave on Dec 12, 2002 2:41 PM EDT)
  • Story Type: Security; Groups: Debian
lynx (a text-only web browser) did not properly check for illegal characters in all places, including processing of command line options, which could be used to insert extra HTTP headers in a request.

Debian alert: two wget problems

  • Mailing list (Posted by dave on Dec 12, 2002 1:49 PM EDT)
  • Story Type: Security; Groups: Debian
Two problems have been found in the wget package as distributed in Debian GNU/Linux:

Red Hat alert: Updated apache, httpd, and mod_ssl packages available

  • Mailing list (Posted by dave on Dec 12, 2002 10:05 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated apache and httpd packages which fix a number of security issues are now available for Red Hat Linux 6.2, 7, 7.1, 7.2, 7.3, and 8.0.

Debian alert: New Perl packages correct Safe handling

  • Mailing list (Posted by dave on Dec 12, 2002 5:46 AM EDT)
  • Story Type: Security; Groups: Debian
A security hole has been discovered in Safe.pm which is used in all versions of Perl. The Safe extension module allows the creation of compartments in which perl code can be evaluated in a new namespace and the code evaluated in the compartment cannot refer to variables outside this namespace. However, when a Safe compartment has already been used, there's no guarantee that it is Safe any longer, because there's a way for code to be executed within the Safe compartment to alter its operation mask. Thus, programs that use a Safe compartment only once aren't affected by this bug.

Mandrake alert: Updated wget packages fix directory traversal vulnerability

A vulnerability in all versions of wget prior to and including 1.8.2 was discovered by Steven M. Christey. The bug permits a malicious FTP server to create or overwriet files anywhere on the local file system by sending filenames beginning with "/" or containing "/../". This can be used to make vulnerable FTP clients write files that can later be used for attack against the client machine.

Debian alert: New tetex-lib packages fix arbitrary command execution

  • Mailing list (Posted by dave on Dec 11, 2002 7:37 AM EDT)
  • Story Type: Security; Groups: Debian
The SuSE security team discovered a vulnerability in kpathsea library (libkpathsea) which is used by xdvi and dvips. Both programs call the system() function insecurely, which allows a remote attacker to execute arbitrary commands via cleverly crafted DVI files.

Debian alert: tcpdump BGP decoding error

  • Mailing list (Posted by dave on Dec 10, 2002 1:41 PM EDT)
  • Story Type: Security; Groups: Debian
The BGP decoding routines for tcpdump used incorrect bounds checking when copying data. This could be abused by introducing malicious traffic on a sniffed network for a denial of service attack against tcpdump, or possibly even remote code execution.

Debian alert: gtetrinet buffer overflows

  • Mailing list (Posted by dave on Dec 10, 2002 1:25 PM EDT)
  • Story Type: Security; Groups: Debian
Steve Kemp and James Antill found several buffer overflows in the gtetrinet (a multiplayer tetris-like game) package as shipped in Debian GNU/Linux 3.0, which could be abused by a malicious server.

Red Hat alert: Updated wget packages fix directory traversal bug

  • Mailing list (Posted by dave on Dec 10, 2002 6:23 AM EDT)
  • Story Type: Security; Groups: Red Hat
The wget packages shipped with Red Hat Linux 6.2 through 8.0 contain a security bug which, under certain circumstances, can cause local files to be written outside the download directory.

Red Hat alert: Updated Canna packages fix vulnerabilities

  • Mailing list (Posted by dave on Dec 10, 2002 6:22 AM EDT)
  • Story Type: Security; Groups: Red Hat
The Canna server, used for Japanese character input, has two security vulnerabilities including an exploitable buffer overrun allowing a local user to gain 'bin' user privileges. Updated packages for Red Hat Linux are available.

Mandrake alert: Updated python packages fix local arbitrary code execution vulnerability

A vulnerability was discovered in python by Zack Weinberg in the way that the execvpe() method from the os.py module uses a temporary file name. The file is created in an unsafe manner and execvpe() tries to execute it, which can be used by a local attacker to execute arbitrary code with the privilege of the user running the python code that is using this method. Update: The previously released packages for 9.0 had an incorrect dependency on libdb.so.2 instead of libdb.so.3. This update corrects that problem.

Debian alert: New IM packages correct hidden architecture dependency

  • Mailing list (Posted by dave on Dec 6, 2002 5:08 AM EDT)
  • Story Type: Security; Groups: Debian
Despite popular belief, the IM packages are not architecture independent, since the number of the fsync syscal is detected on build time and this number differs on Linux architectures and other operating systems. As a result of this the optional feature ``NoSync=no'' does only work on the architecture the package was built on. As usual, we are including the text of the original advisory DSA 202-1:

Debian alert: New html2ps packages correct fix against arbitrary code execution

  • Mailing list (Posted by dave on Dec 6, 2002 5:07 AM EDT)
  • Story Type: Security; Groups: Debian
The security update from DSA 192-1 contained a syntax error which is now fixed. For completeness we include the text of the old advisory:

SuSE alert: OpenLDAP2

  • Mailing list (Posted by dave on Dec 6, 2002 2:16 AM EDT)
  • Story Type: Security; Groups: SUSE
OpenLDAP is the Open Source implementation of the Lightweight Directory Access Protocol (LDAP) and is used in network environments for distributing certain information such as X.509 certificates or login information.

Debian alert: New kdlibs packages fix arbitrary program execution

  • Mailing list (Posted by dave on Dec 5, 2002 6:11 AM EDT)
  • Story Type: Security; Groups: Debian
The KDE team has discovered a vulnerability in the support for various network protocols via the KIO The implementation of the rlogin and protocol allows a carefully crafted URL in an HTML page, HTML email or other KIO-enabled application to execute arbitrary commands on the system using the victim's account on the vulnerable machine.

« Previous ( 1 ... 7420 7421 7422 7423 7424 7425 7426 7427 7428 7429 7430 ... 7469 ) Next »