Linux Advisory Watch - November 12th 2004

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+---------------------------------------------------------------------+
|  LinuxSecurity.com                             Weekly Newsletter    |
|  November 5th, 2004                           Volume 5, Number 45a  |
+---------------------------------------------------------------------+

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@xxxxxxxxxxxxxxxxx          ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for xpdf, libtiff3, sasl, shadow,
ruby, freeam, gzip, libgd1, gnats, libgd2, Gallery, ImageMagick, zgv,
mtink, Apache, pavuk, samba, libxml, webmin, and speedtouch.  The
distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, and
Trustix.

>> LinuxSecurity.com Version 2 <<

Get ready ... on December 1st the new LinuxSecurity.com site will be
revealed. The same great content you've come to expect with a whole new
look and great new features. A sneak preview is coming soon!

-----

Identify Gateway Machines

Special attention should be paid to gateway or firewall systems, as they
usually control access to the services running on the entire network.
Such gateways should be identified, its function within the network
shouild be assessed and owners or administrators should be identified.
These hosts, often referred to as ``bastion hosts'' are a prime target for
an intruder.  They should be some of the most fortified machines on the
network.

Be sure to regularly review the current access policies and security of
the system itself.

These ``systems'' should absolutely only be running the services necessary
to perform it's operation.  Your firewall should not be your mail server,
web server, contain user accounts, etc.  Some of the things you should
check for, and absolutely fortify on these hosts include:

 - Turn off access to all but necessary services.
 - Depending on the type of firewall, disable IP Forwarding, preventing
   the system from routing packets unless absolutely instructed to do so.
 - Update machine by installing vendor patches immediately.
 - Restrict network management utilities, such as SNMP,  ``public''
   communities, and write access.
 - Be sure firewall policy includes mechanisms for preventing common
   attacks such as IP Spoofing, Fragmentation attacks,
   Denial of Service, etc.
 - Monitor status very closely.  You should develop a reference point in
   which the machine normally operates to be able to detect variations
   which may indicate an intrusion.
 - Develop a comprehensive firewall model.  Firewalls should be treated as
   a security system, not just a program that runs on a machine and has an
   access control list.  Firewall administration should be centrally
   controlled and evaluation of firewall policies should be done prior to
   actual firewall deployment.

Excerpt from the LinuxSecurity Administrator's Guide:
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html

Written by: Dave Wreski (dave@xxxxxxxxxxxxxxxxxxx)

-----

Mass deploying Osiris

Osiris is a centralized file-integrity program that uses a client/server
architecture to check for changes on a system.  A central server maintains
the file-integrity database and configuration for a client and at a
specified time, sends the configuration file over to the client, runs a
scan and sends the results back to the server to compare any changes.
Those changes are then sent via email, if configured, to a system admin or
group of people.  The communication is all done over an encrypted
communication channel.

http://www.linuxsecurity.com/feature_stories/feature_story-175.html

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------------------+
|  Distribution: Conectiva        | ----------------------------//
+---------------------------------+

 11/8/2004 - xpdf
   vulnerabilities fix

   Chris Evans discovered several integer overflows vulnerabilities
   in the xpdf code which can be exploited remotely by a specially
   crafted PDF document and may lead to the execution of arbitrary
   code.
   http://www.linuxsecurity.com/advisories/conectiva_advisory-5098.html

 11/8/2004 - libtiff3
   vulnerabilities fix

   This announcement fixes several integer overflow vulnerabilities
   that were encountered in libtiff.
   http://www.linuxsecurity.com/advisories/conectiva_advisory-5099.html

 11/11/2004 - sasl
   buffer overflow vulnerability fix

   A vulnerability[2] has been discovered in the Cyrus implementation
   of the SASL library. The library honors the environment variable
   SASL_PATH blindly, which allows a local attacker to link against a
   malicious library to run arbitrary code with the privileges of a
   setuid or setgid application.
   http://www.linuxsecurity.com/advisories/conectiva_advisory-5150.html


+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

 11/5/2004 - shadow
   unintended behaviour fix

   A vulnerability has been discovered in the shadow suite which
   provides programs like chfn and chsh.  It is possible for a user,
   who is logged in but has an expired password to alter his account
   information with chfn or chsh without having to change the
   password.  The problem was originally thought to be more severe.
   http://www.linuxsecurity.com/advisories/debian_advisory-5086.html

 11/8/2004 - ruby
   denial of service fix

   The upstream developers of Ruby have corrected a problem in the
   CGI module for this language.  Specially crafted requests could
   cause an infinite loop and thus cause the program to eat up cpu
   cycles.
   http://www.linuxsecurity.com/advisories/debian_advisory-5088.html

 11/8/2004 - freeam
   arbitrary code execution fix

   Luigi Auriemma discovered a buffer overflow condition in the
   playlist module of freeamp which could lead to arbitrary code
   execution. Recent versions of freeamp were renamed into zinf.
   http://www.linuxsecurity.com/advisories/debian_advisory-5089.html

 11/8/2004 - gzip
   insecure temporary files fix

   Trustix developers discovered insecure temporary file creation in
   supplemental scripts in the gzip package which may allow local
   users to overwrite files via a symlink attack.
   http://www.linuxsecurity.com/advisories/debian_advisory-5101.html

 11/9/2004 - libgd1
   arbitrary code execution fix

   "infamous41md" discovered several integer overflows in the PNG
   image decoding routines of the GD graphics library.  This could
   lead to the execution of arbitrary code on the victim's machine.
   http://www.linuxsecurity.com/advisories/debian_advisory-5133.html

 11/9/2004 - gnats
   arbitrary code execution fix

   Khan Shirani discovered a format string vulnerability in gnats,
   the GNU problem report management system.  This problem may be
   exploited to execute arbitrary code.
   http://www.linuxsecurity.com/advisories/debian_advisory-5134.html

 11/9/2004 - libgd2
   arbitrary code execution fix

   "infamous41md" discovered several integer overflows in the PNG
   image decoding routines of the GD graphics library.  This could
   lead to the execution of arbitrary code on the victim's machine.
   http://www.linuxsecurity.com/advisories/debian_advisory-5135.html


+---------------------------------+
|  Distribution: Fedora           | ----------------------------//
+---------------------------------+

 11/8/2004 - udev-039-10.FC3.1 update
   arbitrary code execution fix

   Due to debugging code left accidently in the FC3 udev package,
   SIGCHLD signals are blocked in udev, which prevents getting the
   proper exit status in udev.rules. This means no cdrom symlinks are
   created and pam_console does not apply desktop user ownerships to
   any cdrom devices.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5102.html

 11/8/2004 - initscripts-7.93.5-1 update
   arbitrary code execution fix

   This update fixes some minor bugs discovered after the final
   freeze date.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5103.html

 11/8/2004 - hotplug-2004_04_01-8 update
   arbitrary code execution fix

   This update fixes it so that the sg module gets loaded by hotplug
   for non-disk, non-optical devices.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5104.html

 11/8/2004 - ipsec-tools-0.3.3-2 update
   arbitrary code execution fix

   This update fixes the use of 'setkey' when reading from stdin (the
   '-c' argument).
   http://www.linuxsecurity.com/advisories/fedora_advisory-5105.html

 11/8/2004 - kde-i18n-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5106.html

 11/8/2004 - kdeaddons-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5107.html

 11/8/2004 - kdeadmin-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5108.html

 11/8/2004 - kdeartwork-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5109.html

 11/8/2004 - kdebase-3.3.1-4.1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5110.html

 11/8/2004 - kdebindings-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5111.html

 11/8/2004 - kdeedu-3.3.1-2.1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5112.html

 11/8/2004 - kdegames-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5113.html

 11/8/2004 - kdegraphics-3.3.1-2.1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5114.html

 11/8/2004 - kdelibs-3.3.1-2.2 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5115.html

 11/8/2004 - kdemultimedia-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5116.html

 11/8/2004 - kdenetwork-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5117.html

 11/8/2004 - kdepim-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5118.html

 11/8/2004 - kdesdk-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5119.html

 11/8/2004 - kdetoys-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5120.html

 11/8/2004 - kdeutils-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5121.html

 11/8/2004 - kdevelop-3.1.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5122.html

 11/8/2004 - kdewebdev-3.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5123.html

 11/8/2004 - arts-1.3.1-1 update
   arbitrary code execution fix

   KDE 3.3.1 update
   http://www.linuxsecurity.com/advisories/fedora_advisory-5124.html

 11/8/2004 - gpdf-2.8.0-8 update
   arbitrary code execution fix

   GPdf includes the gpdf application, a Bonobo control for PDF
   display which can be embedded in Nautilus, and a Nautilus property
   page for PDF files.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5125.html

 11/8/2004 - wireless-tools-27-0.pre25.3 update
   arbitrary code execution fix

   Fixes a memory leak during wireless scans that affects
   NetworkManager.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5126.html

 11/8/2004 - redhat-artwork-0.96-2 update
   arbitrary code execution fix

   This update fixes issues when using redhat-artwork on 64-bit
   platforms, having both 32 and 64 bit versions installed.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5127.html

 11/8/2004 - gnome-media-2.8.0-3.FC3.1 update
   arbitrary code execution fix

   GNOME (GNU Network Object Model Environment) is a user-friendly
   set of GUI applications and desktop tools to be used in
   conjunction with a window manager for the X Window System. The
   gnome-media package will install media features like the GNOME CD
   player.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5128.html

 11/8/2004 - zip-2.3-26.2 update
   arbitrary code execution fix

   A buffer overflow has been found in zip which will lead to a
   buffer overflow when a user try to create a zip archive which
   contains very long filenames.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5131.html

 11/8/2004 - zip-2.3-26.3 update
   arbitrary code execution fix

   A buffer overflow has been found in zip which will lead to a
   buffer overflow when a user try to create a zip archive which
   contains very long filenames.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5132.html

 11/9/2004 - gnumeric-1.2.13-8.fc3 update
   arbitrary code execution fix

   64bit excel {im|ex}port backport fixes
   http://www.linuxsecurity.com/advisories/fedora_advisory-5136.html

 11/10/2004 - system-config-users-1.2.27-0.fc2.1 update
   arbitrary code execution fix

   system-config-users is a graphical utility for administrating
   users and groups. It depends on the libuser library.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5140.html

 11/10/2004 - openoffice.org-1.1.2-11.5.fc3 update
   arbitrary code execution fix

   The fixes in this update are detailed in the changelog entry
   below.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5141.html

 11/10/2004 - openoffice.org-1.1.2-11.4.fc2 update
   arbitrary code execution fix

   The fixes in this update are detailed in the changelog entry
   below.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5142.html

 11/10/2004 - jwhois-3.2.2-6.FC3.1 update
   arbitrary code execution fix

   This update fixes a crash when a processing a query requires more
   than one redirection.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5143.html

 11/11/2004 - ruby-1.8.1-6.FC2.0 update
   arbitrary code execution fix

   Ruby is the interpreted scripting language for quick and easy
   object-oriented programming.  It has many features to process text
   files and to do system management tasks (as in Perl).  It is
   simple, straight-forward, and extensible.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5144.html

 11/11/2004 - ruby-1.8.1-7.FC3.1 update
   arbitrary code execution fix

   Ruby is the interpreted scripting language for quick and easy
   object-oriented programming. It has many features to process text
   files and to do system management tasks (as in Perl). It is
   simple, straight-forward, and extensible.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5145.html

 11/11/2004 - glibc-2.3.3-27.1 update
   arbitrary code execution fix

   The glibc package contains standard libraries which are used by
   multiple programs on the system. In order to save disk space and
   memory, as well as to make upgrading easier, common system code is
   kept in one place and shared between programs.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5153.html

 11/11/2004 - system-config-users-1.2.27-0.fc3.1 update
   arbitrary code execution fix

   system-config-users is a graphical utility for administrating
   users and groups. It depends on the libuser library.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5154.html

 11/11/2004 - libxml2-2.6.16-2 update
   arbitrary code execution fix

   This update to libxml2 fixes a variety of bugs found in 2.6.15,
   notably #137968.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5155.html

 11/11/2004 - libxml2-2.6.16-3 update
   arbitrary code execution fix

   This update to libxml2 fixes a variety of bugs found in 2.6.15,
   notably #137968.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5156.html

 11/11/2004 - gd-2.0.21-5.20.1 update
   arbitrary code execution fix

   Several buffer overflows were reported in various memory
   allocation calls. An attacker could create a carefully crafted
   image file in such a way that it could cause ImageMagick to
   execute arbitrary code when processing the image.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5157.html

 11/11/2004 - gd-2.0.28-1.30.1 update
   arbitrary code execution fix

   Several buffer overflows were reported in various memory
   allocation calls. An attacker could create a carefully crafted
   image file in such a way that it could cause ImageMagick to
   execute arbitrary code when processing the image.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5158.html

 11/11/2004 - unarj-2.63a-7 update
   arbitrary code execution fix

   A buffer overflow bug has been discovered in unarj when handling
   long file names contained in an archive. An attacker could create
   an archive with a specially crafted path which could cause unarj
   to crash or execute arbitrary instructions.
   http://www.linuxsecurity.com/advisories/fedora_advisory-5159.html


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

 11/6/2004 - GPdf, KPDF, KOffice Vulnerabilities in included xpdf
   arbitrary code execution fix

   The original fix introduced new vulnerabilities on 64-bit
   platforms. New fixed packages are available. Updated sections
   follow.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5090.html

 11/6/2004 - Xpdf, CUPS Multiple integer overflows
   arbitrary code execution fix

   The original fix introduced new vulnerabilities on 64-bit
   platforms. New fixed packages are available. Updated sections
   follow.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5091.html

 11/6/2004 - Gallery
   Cross-site scripting vulnerability

   Gallery is vulnerable to cross-site scripting attacks.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5092.html

 11/6/2004 - ImageMagick
   EXIF buffer overflow

   ImageMagick contains an error in boundary checks when handling
   EXIF information, which could lead to arbitrary code execution.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5093.html

 11/7/2004 - zgv
   Multiple buffer overflows

   zgv contains multiple buffer overflows that can potentially lead
   to the execution of arbitrary code.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5094.html

 11/7/2004 - Portage, Gentoolkit Temporary file vulnerabilities
   Multiple buffer overflows

   dispatch-conf (included in Portage) and qpkg (included in
   Gentoolkit) are vulnerable to symlink attacks, potentially
   allowing a local user to overwrite arbitrary files with the rights
   of the user running the script.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5095.html

 11/7/2004 - Kaffeine, gxine Remotely exploitable buffer overflow
   Multiple buffer overflows

   Kaffeine and gxine both contain a buffer overflow that can be
   exploited when accessing content from a malicious HTTP server with
   specially crafted headers.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5096.html

 11/8/2004 - OpenSSL, Groff Insecure tempfile handling
   Multiple buffer overflows

   groffer, included in the Groff package, and the der_chop script,
   included in the OpenSSL package, are both vulnerable to symlink
   attacks, potentially allowing a local user to overwrite arbitrary
   files with the rights of the user running the utility.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5097.html

 11/9/2004 - zip
   Path name buffer overflow

   zip contains a buffer overflow when creating a ZIP archive of
   files with very long path names. This could lead to the execution
   of arbitrary code.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5137.html

 11/9/2004 - mtink
   Insecure tempfile handling

   mtink is vulnerable to symlink attacks, potentially allowing a
   local user to overwrite arbitrary files with the rights of the
   user running the utility.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5138.html

 11/10/2004 - Apache
   2.0 Denial of Service by memory consumption

   A flaw in Apache 2.0 could allow a remote attacker to cause a
   Denial of Service.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5139.html

 11/11/2004 - pavuk
   Multiple buffer overflows

   Pavuk contains multiple buffer overflows that can allow a remote
   attacker to run arbitrary code.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5151.html

 11/11/2004 - ez-ipupdate Format string vulnerability
   Multiple buffer overflows

   ez-ipupdate contains a format string vulnerability that could lead
   to execution of arbitrary code.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5152.html

 11/11/2004 - samba
   Remote Denial of Service

   An input validation flaw in Samba may allow a remote attacker to
   cause a Denial of Service by excessive consumption of CPU cycles.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5160.html

 11/11/2004 - Davfs2, lvm-user Insecure tempfile handling
   Remote Denial of Service

   Davfs2 and the lvmcreate_initrd script (included in the lvm-user
   package) are both vulnerable to symlink attacks, potentially
   allowing a local user to overwrite arbitrary files with the rights
   of the user running them.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-5161.html


+---------------------------------+
|  Distribution: Mandrake         | ----------------------------//
+---------------------------------+

 11/5/2004 - shadow
   security bypass vulnerability fix

   A vulnerability in the shadow suite was discovered by Martin
   Schulze that can be exploited by local users to bypass certain
   security restrictions due to an input validation error in the
   passwd_check() function.  This function is used by the chfn and
   chsh tools.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-5084.html

 11/5/2004 - libxml
   libxml2 multiple vulnerabilities fix

   Multiple buffer overflows were reported in the libxml XML parsing
   library.  These vulnerabilities may allow remote attackers to
   execute arbitray code via a long FTP URL that is not properly
   handled by the xmlNanoFTPScanURL() function, a long proxy URL
   containing FTP data that is not properly handled by the
   xmlNanoFTPScanProxy() function, and other overflows in the code
   that resolves names via DNS.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-5085.html

 11/8/2004 - ruby
   remote DoS vulnerability fix

   Andres Salomon noticed a problem with the CGI session management
   in Ruby. The CGI:Session's FileStore implementations store session
   information in an insecure manner by just creating files and
   ignoring permission issues (CAN-2004-0755).
   http://www.linuxsecurity.com/advisories/mandrake_advisory-5129.html

 11/10/2004 - webmin
   problem with some modules fix

   There was a problem with two modules in the webmin package that
   did not work correctly: the cron and backup modules. The updates
   packages fix the problem so the modules will again work.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-5146.html

 11/11/2004 - ez-ipupdate format string vulnerability fix
   problem with some modules fix

   Ulf Harnhammar discovered a format string vulnerability in
   ez-ipupdate, a client for many dynamic DNS services. The updated
   packages are patched to protect against this problem.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-5147.html

 11/11/2004 - speedtouch
   format string vulnerability fix

   The Speedtouch USB driver contains a number of format string
   vulnerabilities due to improperly made syslog() system calls.
   These vulnerabilities can be abused by a local user to potentially
   allow the execution of arbitray code with elevated privileges.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-5148.html

 11/11/2004 - samba
   DoS vulnerability fix

   Karol Wiesek discovered a bug in the input validation routines in
   Samba 3.x used to match filename strings containing wildcard
   characters. This bug may allow a user to consume more than normal
   amounts of CPU cycles which would impact the performance and
   response of the server.
   http://www.linuxsecurity.com/advisories/mandrake_advisory-5149.html


+---------------------------------+
|  Distribution: Trustix          | ----------------------------//
+---------------------------------+

 11/5/2004 - apache
   buffer overflow

   Potential buffer overflow with escaped characters in SSI tag
   string. The Common Vulnerabilities and Exposures project
   (cve.mitre.org) has assigned the name CAN-2004-0940 to this issue.
   http://www.linuxsecurity.com/advisories/trustix_advisory-5087.html

 11/8/2004 - php, postfix, kernel, sqlgrey, sqlite package fixes
   buffer overflow

   PHP: Wrong "extension_dir" leads to problems loading modules.
   Postfix: Fixed a missing define that prevented dynamic loading of
   modules.
   http://www.linuxsecurity.com/advisories/trustix_advisory-5100.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux