Showing all newswire headlines

View by date, instead?

« Previous ( 1 ... 7427 7428 7429 7430 7431 7432 7433 7434 7435 7436 7437 ... 7468 ) Next »

Red Hat alert: Updated mailman packages close cross-site scripting vulnerability

  • Mailing list (Posted by dave on Aug 23, 2002 9:07 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated mailman packages are now available for Red Hat Linux 7.2 and 7.3. These updates close a cross-site scripting vulnerability present in mailman versions prior to version

Debian alert: New irssi-text packages fix denial of service

  • Mailing list (Posted by dave on Aug 23, 2002 6:03 AM EDT)
  • Story Type: Security; Groups: Debian
The IRC client irssi is vulnerable to a denial of service condition. The problem occurs when a user attempts to join a channel that has an overly long topic description. When a certain string is appended to the topic, irssi will crash.

Debian alert: New Light package fixes arbitrary script execution

  • Mailing list (Posted by dave on Aug 22, 2002 12:34 PM EDT)
  • Story Type: Security; Groups: Debian
All versions of the EPIC script Light prior to 2.7.30p5 (on the 2.7 branch) and prior to 2.8pre10 (on the 2.8 branch) running on any platform are vulnerable to a remotely-exploitable bug, which can lead to nearly arbitrary code execution.

Red Hat alert: New kernel update available, fixes i810 video oops, several security issues

  • Mailing list (Posted by dave on Aug 21, 2002 10:13 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated kernel packages are now available which fix an oops in the i810 3D kernel code. This kernel update also fixes a difficult to trigger race in the dcache (filesystem cache) code, as well as some potential security holes, although we are not currently aware of any exploits.

Debian alert: New kdelibs packages fix several vulnerabilities

  • Mailing list (Posted by dave on Aug 21, 2002 2:32 AM EDT)
  • Story Type: Security; Groups: Debian
Due to a security engineering oversight, the SSL library from KDE, which Konqueror uses, doesn't check whether an intermediate certificate for a connection is signed by the certificate authority as safe for the purpose, but accepts it when it is signed. This makes it possible for anyone with a valid VeriSign SSL site certificate to forge any other VeriSign SSL site certificate, and abuse Konqueror users.

Red Hat alert: Updated bugzilla packages fix security issues

  • Mailing list (Posted by dave on Aug 20, 2002 10:44 AM EDT)
  • Story Type: Security; Groups: Red Hat
A number of security-related bugs have been found in Bugzilla version

Red Hat alert: New PHP packages fix vulnerability in safemode

  • Mailing list (Posted by dave on Aug 20, 2002 7:23 AM EDT)
  • Story Type: Security; Groups: Red Hat
PHP versions earlier than 4.1.0 contain a vulnerability that could allow arbitrary commands to be executed.

Debian alert: New mantis package fixes several vulnerabilities

  • Mailing list (Posted by dave on Aug 20, 2002 7:08 AM EDT)
  • Story Type: Security; Groups: Debian
Jeroen Latour pointed out that we missed one uninitialized variable in DSA 153-1, which was insecurely used with file inclusions in the Mantis package, a php based bug tracking system. When such occasions are exploited, a remote user is able to execute arbitrary code under the webserver user id on the web server hosting the mantis system.

Red Hat alert: Updated libpng packages fix buffer overflow

  • Mailing list (Posted by dave on Aug 19, 2002 12:22 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated libpng packages are available that fix a buffer overflow vulnerability.

Debian alert: New fam packages fix privilege escalation

  • Mailing list (Posted by dave on Aug 16, 2002 10:09 AM EDT)
  • Story Type: Security; Groups: Debian
A flaw was discovered in FAM's group handling. In the effect users are unable to FAM directories they have group read and execute permissions on. However, also unprivileged users can potentially learn names of files that only users in root's group should be able to view.

Red Hat alert: Updated krb5 packages fix remote buffer overflow

  • Mailing list (Posted by dave on Aug 15, 2002 1:02 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated Kerberos 5 packages are now available for Red Hat LInux 6.2, 7, 7.1, 7.2, and 7.3. These updates fix a buffer overflow in the XDR decoder.

Mandrake alert: bind update

A vulnerability was discovered in the BIND9 DNS server in versions prior to 9.2.1.

Mandrake alert: sharutils update

The uudecode utility creates output files without checking to see if it is about to write to a symlink or pipe. This could be exploited by a local attacker to overwrite files or lead to privilege escalation if users decode data into share directories, such as /tmp. This update fixes this vulnerability by checking to see if the destination output file is a symlink or pipe.

Mandrake alert: xchat update

In versions of the xchat IRC client prior to version 1.8.9, xchat does not filter the response from an IRC server when a /dns query is executed. xchat resolves hostnames by passing the configured resolver and hostname to a shell, so an IRC server may return a malicious response formatted so that arbitrary commands are executed with the privilege of the user running xchat.

Debian alert: New mantis package fixes cross site code execution

  • Mailing list (Posted by dave on Aug 14, 2002 5:33 AM EDT)
  • Story Type: Security; Groups: Debian
Joao Gouveia discovered an uninitialized variable which was insecurely used with file inclusions in the mantis package, a php based bug tracking system. The Debian Security Team found even more similar problems. When these occasions are exploited, a remote user is able to execute arbitrary code under the webserver user id on the web server hosting the mantis system.

Mandrake alert: libpng update

A buffer overflow was found in the in the progressive reader of the PNG library when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. These deliberately malformed datastreams would crash applications thus potentially allowing an attacker to execute malicious code. Many programs make use of the PNG libraries, including web browsers. This overflow is corrected in versions 1.0.14 and 1.2.4 of the PNG library. In order to have the system utilize the upgraded packages after the upgrade, you must restart all running applications that are linked to libpng. You can obtain this list by executing "lsof|grep libpng" or "fuser -v /usr/lib/libpng.so".

Mandrake alert: glibc update

A buffer overflow vulnerability was found in the way that the glibc resolver handles the resolution of network names and addresses via DNS in glibc versions 2.2.5 and earlier. Only systems using the "dns" entry in the "networks" database in /etc/nsswitch.conf are vulnerable to this issue. By default, Mandrake Linux has this database set to "files" and is not vulnerable. Likewise, a similar bug is in the glibc-compat packages which provide compatability for programs compiled against 2.0.x versions of glibc.

Debian alert: New l2tpd packages adds better randomization

  • Mailing list (Posted by dave on Aug 13, 2002 11:16 AM EDT)
  • Story Type: Security; Groups: Debian
Current versions of l2tpd, a layer 2 tunneling client/server program, forgot to initialize the random generator which made it vulnerable since all generated random number were 100% guessable. When dealing with the size of the value in an attribute value pair, too many bytes were able to be copied, which could lead into the vendor field being overwritten.

Debian alert: New xinetd packages fix local denial of service

  • Mailing list (Posted by dave on Aug 13, 2002 10:38 AM EDT)
  • Story Type: Security; Groups: Debian
Solar Designer found a vulnerability in xinetd, a replacement for the BSD derived inetd. File descriptors for the signal pipe introduced in version 2.3.4 are leaked into services started from xinetd. The descriptors could be used to talk to xinetd resulting in crashing it entirely. This is usually called a denial of service.

Debian alert: New interchange packages fix illegal file exposition

  • Mailing list (Posted by dave on Aug 13, 2002 8:32 AM EDT)
  • Story Type: Security; Groups: Debian
A problem has been discovered in Interchange, an e-commerce and general HTTP database display system, which can lead to an attacker being able to read any file to which the user of the Interchange daemon has sufficient permissions, when Interchange runs in "INET mode" (internet domain socket). This is not the default setting in Debian packages, but configurable with Debconf and via configuration file. We also believe that this bug cannot exploited on a regular Debian system.

« Previous ( 1 ... 7427 7428 7429 7430 7431 7432 7433 7434 7435 7436 7437 ... 7468 ) Next »