Showing all newswire headlines
View by date, instead?« Previous ( 1 ... 7427 7428 7429 7430 7431 7432 7433 7434 7435 7436 7437 ... 7468 ) Next »
Red Hat alert: Updated mailman packages close cross-site scripting vulnerability
Updated mailman packages are now available for Red Hat Linux 7.2 and 7.3.
These updates close a cross-site scripting vulnerability present in mailman
versions prior to version
Debian alert: New irssi-text packages fix denial of service
The IRC client irssi is vulnerable to a denial of service condition.
The problem occurs when a user attempts to join a channel that has an
overly long topic description. When a certain string is appended to
the topic, irssi will crash.
Debian alert: New Light package fixes arbitrary script execution
All versions of the EPIC script Light prior to 2.7.30p5 (on the 2.7
branch) and prior to 2.8pre10 (on the 2.8 branch) running on any
platform are vulnerable to a remotely-exploitable bug, which can lead
to nearly arbitrary code execution.
Red Hat alert: New kernel update available, fixes i810 video oops, several security issues
Updated kernel packages are now available which fix an oops in the i810 3D
kernel code. This kernel update also fixes a difficult to trigger race in
the dcache (filesystem cache) code, as well as some potential security
holes, although we are not currently aware of any exploits.
Debian alert: New kdelibs packages fix several vulnerabilities
Due to a security engineering oversight, the SSL library from KDE,
which Konqueror uses, doesn't check whether an intermediate
certificate for a connection is signed by the certificate authority as
safe for the purpose, but accepts it when it is signed. This makes it
possible for anyone with a valid VeriSign SSL site certificate to
forge any other VeriSign SSL site certificate, and abuse Konqueror
users.
Red Hat alert: Updated bugzilla packages fix security issues
A number of security-related bugs have been found in Bugzilla version
Red Hat alert: New PHP packages fix vulnerability in safemode
PHP versions earlier than 4.1.0 contain a vulnerability that could allow
arbitrary commands to be executed.
Debian alert: New mantis package fixes several vulnerabilities
Jeroen Latour pointed out that we missed one uninitialized variable in
DSA 153-1, which was insecurely used with file inclusions in the
Mantis package, a php based bug tracking system. When such occasions
are exploited, a remote user is able to execute arbitrary code under
the webserver user id on the web server hosting the mantis system.
Red Hat alert: Updated libpng packages fix buffer overflow
Updated libpng packages are available that fix a buffer overflow vulnerability.
Debian alert: New fam packages fix privilege escalation
A flaw was discovered in FAM's group handling. In the effect users
are unable to FAM directories they have group read and execute
permissions on. However, also unprivileged users can potentially
learn names of files that only users in root's group should be able to
view.
Red Hat alert: Updated krb5 packages fix remote buffer overflow
Updated Kerberos 5 packages are now available for Red Hat LInux 6.2, 7,
7.1, 7.2, and 7.3. These updates fix a buffer overflow in the XDR decoder.
Mandrake alert: bind update
A vulnerability was discovered in the BIND9 DNS server in versions prior to 9.2.1.
Mandrake alert: sharutils update
The uudecode utility creates output files without checking to see if it is about to write to a symlink or pipe. This could be exploited by a local attacker to overwrite files or lead to privilege escalation if users decode data into share directories, such as /tmp. This update fixes this vulnerability by checking to see if the destination output file is a symlink or pipe.
Mandrake alert: xchat update
In versions of the xchat IRC client prior to version 1.8.9, xchat does not filter the response from an IRC server when a /dns query is executed. xchat resolves hostnames by passing the configured resolver and hostname to a shell, so an IRC server may return a malicious response formatted so that arbitrary commands are executed with the privilege of the user running xchat.
Debian alert: New mantis package fixes cross site code execution
Joao Gouveia discovered an uninitialized variable which was insecurely
used with file inclusions in the mantis package, a php based bug
tracking system. The Debian Security Team found even more similar
problems. When these occasions are exploited, a remote user is able
to execute arbitrary code under the webserver user id on the web
server hosting the mantis system.
Mandrake alert: libpng update
A buffer overflow was found in the in the progressive reader of the PNG library when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. These deliberately malformed datastreams would crash applications thus potentially allowing an attacker to execute malicious code. Many programs make use of the PNG libraries, including web browsers. This overflow is corrected in versions 1.0.14 and 1.2.4 of the PNG library. In order to have the system utilize the upgraded packages after the upgrade, you must restart all running applications that are linked to libpng. You can obtain this list by executing "lsof|grep libpng" or "fuser -v /usr/lib/libpng.so".
Mandrake alert: glibc update
A buffer overflow vulnerability was found in the way that the glibc resolver handles the resolution of network names and addresses via DNS in glibc versions 2.2.5 and earlier. Only systems using the "dns" entry in the "networks" database in /etc/nsswitch.conf are vulnerable to this issue. By default, Mandrake Linux has this database set to "files" and is not vulnerable. Likewise, a similar bug is in the glibc-compat packages which provide compatability for programs compiled against 2.0.x versions of glibc.
Debian alert: New l2tpd packages adds better randomization
Current versions of l2tpd, a layer 2 tunneling client/server program,
forgot to initialize the random generator which made it vulnerable
since all generated random number were 100% guessable. When dealing
with the size of the value in an attribute value pair, too many bytes
were able to be copied, which could lead into the vendor field being
overwritten.
Debian alert: New xinetd packages fix local denial of service
Solar Designer found a vulnerability in xinetd, a replacement for the
BSD derived inetd. File descriptors for the signal pipe introduced in
version 2.3.4 are leaked into services started from xinetd. The
descriptors could be used to talk to xinetd resulting in crashing it
entirely. This is usually called a denial of service.
Debian alert: New interchange packages fix illegal file exposition
A problem has been discovered in Interchange, an e-commerce and
general HTTP database display system, which can lead to an attacker
being able to read any file to which the user of the Interchange
daemon has sufficient permissions, when Interchange runs in "INET
mode" (internet domain socket). This is not the default setting in
Debian packages, but configurable with Debconf and via configuration
file. We also believe that this bug cannot exploited on a regular
Debian system.
« Previous ( 1 ... 7427 7428 7429 7430 7431 7432 7433 7434 7435 7436 7437 ... 7468 ) Next »