Showing all newswire headlines

View by date, instead?

« Previous ( 1 ... 7429 7430 7431 7432 7433 7434 7435 7436 7437 7438 7439 ... 7468 ) Next »

Debian alert: New super packages fix local root exploit

  • Mailing list (Posted by dave on Aug 1, 2002 5:23 AM EDT)
  • Story Type: Security; Groups: Debian
GOBBLES found an insecure use of format strings in the super package. The included program super is intended to provide access to certain system users for particular users and programs, similar to the program super. Exploiting this format string vulnerability a local user can gain unauthorized root accesss.

SuSE alert: Not affected: openssh trojan from ftp.openbsd.org

  • Mailing list (Posted by dave on Aug 1, 2002 4:51 AM EDT)
  • Story Type: Security; Groups: SUSE
The openssh source tarball openssh-3.4p1.tar.gz from the openbsd ftp server http://ftp.openbsd.org has been trojaned with code that opens network connections to a server in the internet (203.62.158.32:6667) at compile time. The backdoor does not have any influence on the runtime behaviour of the package to our current knowlege. As of now, the package on the openbsd ftp server has not been removed/cleaned.

SuSE alert: wwwoffle

  • Mailing list (Posted by dave on Aug 1, 2002 3:42 AM EDT)
  • Story Type: Security; Groups: SUSE
The WWWOFFLE, World Wide Web Offline Explorer, program suite acts as a HTTP, FTP and Finger proxy to allow users with dial-up access to the internet to do offline WWW browsing.

Debian alert: Remote execution exploit in gallery

  • Mailing list (Posted by dave on Jul 31, 2002 3:47 PM EDT)
  • Story Type: Security; Groups: Debian
A problem was found in gallery (a web-based photo album toolkit): it was possible to pass in the GALLERY_BASEDIR variable remotely. This made it possible to execute commands under the uid of web-server.

Slackware alert: Security updates for Slackware 8.1

Several security updates are now available for Slackware 8.1, including updated packages for Apache, glibc, mod_ssl, openssh, openssl, and php.

SuSE alert: mod_ssl, mm

  • Mailing list (Posted by dave on Jul 31, 2002 8:20 AM EDT)
  • Story Type: Security; Groups: SUSE
This security announcement covers two different errors in packages used by and used with the apache package. The first bug is an off-by-one overflow in the code responsible for handling configuration directives in mod_ssl, the apache module that enables apache to serve SSL encrypted http protocol. This vulnerability allows a local attacker to use a specially prepared .htaccess file for a denial of service attack against a webserver child, resulting in an increased resource usage overhead on busy webservers, or possibly to execute arbitrary commands as the webserver user (wwwrun in the SuSE case). This bug has been discovered by Frank Denis. The second bug was found by Markus Meissner (while working for Caldera in 2001, now SuSE) and Sebastian Krahmer, SuSE Security, independently. It is a temporary file handling problem in libmm (package name is "mm"), a library for communication between forked processes using IPC semaphores, IPC shared memory and/or shared mmap()'ed files. The vulnerability allows a local attacker to gain root privileges once she has succeeded to gain the (local) privileges of the user wwwrun on the system running the apache webserver.

Red Hat alert: Updated mm packages fix temporary file handling

  • Mailing list (Posted by dave on Jul 31, 2002 12:54 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated mm packages are now available for Red Hat Linux 7, 7.1, 7.2, and 7.3. These updates address possible vulnerabilities in how the MM library opens temporary files.

Debian alert: New mm packages fix insecure temporary file creation

  • Mailing list (Posted by dave on Jul 30, 2002 9:21 AM EDT)
  • Story Type: Security; Groups: Debian
Marcus Meissner and Sebastian Krahmer discovered and fixed a temporary file vulnerability in the mm shared memory library. This problem can be exploited to gain root access to a machine running Apache which is linked against this library, if shell access to the user ``www-data'' is already available (which could easily be triggered through PHP).

SuSE alert: openssl

  • Mailing list (Posted by dave on Jul 30, 2002 9:21 AM EDT)
  • Story Type: Security; Groups: SUSE
The openssl package provides encryption functions and is used by many applications on SuSE products.

Debian alert: Multiple OpenSSL problems

  • Mailing list (Posted by dave on Jul 30, 2002 4:47 AM EDT)
  • Story Type: Security; Groups: Debian
The OpenSSL development team has announced that a security audit by A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed remotely exploitable buffer overflow conditions in the OpenSSL code. Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack independently discovered by Adi Stav and James Yonan.

Red Hat alert: Updated openssl packages fix remote vulnerabilities

  • Mailing list (Posted by dave on Jul 30, 2002 2:47 AM EDT)
  • Story Type: Security; Groups: Red Hat
Updated OpenSSL packages are available which fix several serious buffer overflow vulnerabilities.

Red Hat alert: Updated util-linux package fixes password locking race

  • Mailing list (Posted by dave on Jul 29, 2002 7:01 AM EDT)
  • Story Type: Security; Groups: Red Hat
A locally exploitable vulnerability is present in the util-linux package shipped with Red Hat Linux

Red Hat alert: Updated glibc packages fix vulnerabilities in resolver

  • Mailing list (Posted by dave on Jul 24, 2002 2:32 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated glibc packages are available to fix two vulnerabilities in the resolver functions.

Red Hat alert: Updated mod_ssl packages available

  • Mailing list (Posted by dave on Jul 16, 2002 12:53 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated mod_ssl packages are now available for Red Hat Linux 7, 7.1, 7.2, and 7.3. These updates incorporate a fix for an incorrect bounds check in versions of mod_ssl up to and including version

SuSE alert: Resolver

  • Mailing list (Posted by dave on Jul 10, 2002 11:18 AM EDT)
  • Story Type: Security; Groups: SUSE
A vulnerability has been discovered in some resolver library functions. The affected code goes back to the resolver library shipped as part of BIND4; code derived from it has been included in later BIND releases as well as the GNU libc.

SuSE alert: squid

  • Mailing list (Posted by dave on Jul 8, 2002 4:16 PM EDT)
  • Story Type: Security; Groups: SUSE
squid is a web proxy cache contained but not installed and activated by default on SuSE products.

Red Hat alert: New Squid packages available

  • Mailing list (Posted by dave on Jul 3, 2002 6:45 PM EDT)
  • Story Type: Security; Groups: Red Hat
New Squid packages are available which fix various security issues.

SuSE alert: openssh

  • Mailing list (Posted by dave on Jul 2, 2002 12:00 PM EDT)
  • Story Type: Security; Groups: SUSE
SuSE Security has issued two warnings and one SuSE Security Announcement on 25th and 26th of June concerning the vulnerabilities found in the openssh package that is contained and installed by default on most SuSE products. For a few days, the nature of the errors were unknown to the public, making it difficult for distributors to provide proper solutions against the problem. Now that details of the errors have been disclosed, we hereby re-release SuSE Security Announcement SuSE-SA:2002:023 (openssh) under a new announcement ID with links to a set of update packages that represent SuSE's permanent fix for the problems found.

Debian alert: buffer overflow / DoS in libapache-mod-ssl

  • Mailing list (Posted by dave on Jul 2, 2002 4:12 AM EDT)
  • Story Type: Security; Groups: Debian
The libapache-mod-ssl package provides SSL capability to the apache webserver. Recently, a problem has been found in the handling of .htaccess files, allowing arbitrary code execution as the web server user (regardless of ExecCGI / suexec settings), DoS attacks (killing off apache children), and allowing someone to take control of apache child processes - all trough specially crafted .htaccess files. More information about this vulnerability can be found at

Red Hat alert: Updated OpenSSH packages fix various security issues

  • Mailing list (Posted by dave on Jun 27, 2002 1:47 PM EDT)
  • Story Type: Security; Groups: Red Hat
Updated openssh packages are now available for Red Hat Linux 7, 7.1, 7.2, and 7.3. These updates fix an input validation error in OpenSSH.

« Previous ( 1 ... 7429 7430 7431 7432 7433 7434 7435 7436 7437 7438 7439 ... 7468 ) Next »