Showing all newswire headlines
View by date, instead?« Previous ( 1 ... 7420 7421 7422 7423 7424 7425 7426 7427 7428 7429 7430 ... 7469 ) Next »
Mandrake alert: Updated apache packages fix multiple vulnerabilities
A number of vulnerabilities were discovered in Apache versions prior to 1.3.27. The first is regarding the use of shared memory (SHM) in Apache. An attacker that is able to execute code as the UID of the webserver (typically "apache") is able to send arbitrary processes a USR1 signal as root. Using this vulnerability, the attacker can also cause the Apache process to continously span more children processes, thus causing a local DoS. Another vulnerability was discovered by Matthew Murphy regarding a cross site scripting vulnerability in the standard 404 error page. Finally, some buffer overflows were found in the "ab" benchmark program that is included with Apache.
Debian alert: Multiple MySQL vulnerabilities
While performing an audit of MySQL e-matters found several problems:
Red Hat alert: Updated Net-SNMP packages fix security and other bugs
The Net-SNMP packages shipped with Red Hat Linux 8.0 contain several bugs
including a remote denial of service vulnerability. This errata release
corrects those problems.
Red Hat alert: Updated Fetchmail packages fix security vulnerability
Updated Fetchmail packages are available for Red Hat Linux versions 6.2, 7,
7.1, 7.2, 7.3, and 8.0 which close a remotely-exploitable vulnerability in
unpatched versions of Fetchmail prior to 6.
Debian alert: New mICQ packages fix denial of service
Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client,
discovered a problem in mICQ. Receiving certain ICQ message types
that do not contain the required 0xFE seperator causes all versions to
crash.
Debian alert: lynx CRLF injection
lynx (a text-only web browser) did not properly check for illegal
characters in all places, including processing of command line options,
which could be used to insert extra HTTP headers in a request.
Debian alert: two wget problems
Two problems have been found in the wget package as distributed in
Debian GNU/Linux:
Red Hat alert: Updated apache, httpd, and mod_ssl packages available
Updated apache and httpd packages which fix a number of security issues are
now available for Red Hat Linux 6.2, 7, 7.1, 7.2, 7.3, and 8.0.
Debian alert: New Perl packages correct Safe handling
A security hole has been discovered in Safe.pm which is used in all
versions of Perl. The Safe extension module allows the creation of
compartments in which perl code can be evaluated in a new namespace
and the code evaluated in the compartment cannot refer to variables
outside this namespace. However, when a Safe compartment has already
been used, there's no guarantee that it is Safe any longer, because
there's a way for code to be executed within the Safe compartment to
alter its operation mask. Thus, programs that use a Safe compartment
only once aren't affected by this bug.
Mandrake alert: Updated wget packages fix directory traversal vulnerability
A vulnerability in all versions of wget prior to and including 1.8.2 was discovered by Steven M. Christey. The bug permits a malicious FTP server to create or overwriet files anywhere on the local file system by sending filenames beginning with "/" or containing "/../". This can be used to make vulnerable FTP clients write files that can later be used for attack against the client machine.
Debian alert: New tetex-lib packages fix arbitrary command execution
The SuSE security team discovered a vulnerability in kpathsea library
(libkpathsea) which is used by xdvi and dvips. Both programs call the
system() function insecurely, which allows a remote attacker to
execute arbitrary commands via cleverly crafted DVI files.
Debian alert: tcpdump BGP decoding error
The BGP decoding routines for tcpdump used incorrect bounds checking
when copying data. This could be abused by introducing malicious traffic
on a sniffed network for a denial of service attack against tcpdump,
or possibly even remote code execution.
Debian alert: gtetrinet buffer overflows
Steve Kemp and James Antill found several buffer overflows in the
gtetrinet (a multiplayer tetris-like game) package as shipped in
Debian GNU/Linux 3.0, which could be abused by a malicious server.
Red Hat alert: Updated wget packages fix directory traversal bug
The wget packages shipped with Red Hat Linux 6.2 through 8.0 contain a
security bug which, under certain circumstances, can cause local files to
be written outside the download directory.
Red Hat alert: Updated Canna packages fix vulnerabilities
The Canna server, used for Japanese character input, has two security
vulnerabilities including an exploitable buffer overrun allowing a local
user to gain 'bin' user privileges. Updated packages for Red Hat Linux are
available.
Mandrake alert: Updated python packages fix local arbitrary code execution vulnerability
A vulnerability was discovered in python by Zack Weinberg in the way that the execvpe() method from the os.py module uses a temporary file name. The file is created in an unsafe manner and execvpe() tries to execute it, which can be used by a local attacker to execute arbitrary code with the privilege of the user running the python code that is using this method. Update: The previously released packages for 9.0 had an incorrect dependency on libdb.so.2 instead of libdb.so.3. This update corrects that problem.
Debian alert: New IM packages correct hidden architecture dependency
Despite popular belief, the IM packages are not architecture
independent, since the number of the fsync syscal is detected on
build time and this number differs on Linux architectures and
other operating systems. As a result of this the optional feature
``NoSync=no'' does only work on the architecture the package was
built on. As usual, we are including the text of the original
advisory DSA 202-1:
Debian alert: New html2ps packages correct fix against arbitrary code execution
The security update from DSA 192-1 contained a syntax error which is
now fixed. For completeness we include the text of the old advisory:
SuSE alert: OpenLDAP2
OpenLDAP is the Open Source implementation of the Lightweight Directory Access Protocol (LDAP) and is used in network environments for distributing certain information such as X.509 certificates or login information.
Debian alert: New kdlibs packages fix arbitrary program execution
The KDE team has discovered a vulnerability in the support for various
network protocols via the KIO The implementation of the rlogin and
protocol allows a carefully crafted URL in an HTML page, HTML email or
other KIO-enabled application to execute arbitrary commands on the
system using the victim's account on the vulnerable machine.
« Previous ( 1 ... 7420 7421 7422 7423 7424 7425 7426 7427 7428 7429 7430 ... 7469 ) Next »