Gentoo Linux security discussion

Daniel Ahlberg | 2 Feb 2003 14:25

Picon

GLSA: Mail-SpamAssasin


--------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-01
--------------------------------------------------------------------

PACKAGE : Mail-SpamAssasin
SUMMARY : arbitrary code execution
DATE    : 2003-02-02 13:25 UTC
EXPLOIT : remote

--------------------------------------------------------------------

From advisory: 

"Attacker may be able to execute arbitrary code by sending a specially 
crafted e-mail to a system using SpamAssassin's spamc program in BSMTP 
mode (-B option). Versions from 2.40 to 2.43 are affected."

Read the full advisory at 
http://marc.theaimsgroup.com/?l=bugtraq&m=104342896818777&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
dev-perl/Mail-SpamAssasin to Mail-SpamAssasin-2.44 as follows:

emerge sync
emerge -u Mail-SpamAssasin
emerge clean

(Continue reading)

Daniel Ahlberg | 2 Feb 2003 14:36

Picon

GLSA: slocate


--------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-02
--------------------------------------------------------------------

PACKAGE : slocate
SUMMARY : buffer overflow
DATE    : 2003-02-02 13:36 UTC
EXPLOIT : local

--------------------------------------------------------------------

From advisory: 

"The overflow appears when the slocate is  runned with two parameters: 
-c and -r, using as arguments a 1024 (or 10240, as Knight420 has 
informed us earlier) bytes string."

Read the full advisory at 
http://www.usg.org.uk/advisories/2003.001.txt

SOLUTION

It is recommended that all Gentoo Linux users who are running
sys-apps/slocate upgrade to slocate-2.7 as follows:

emerge sync
emerge -u slocate
emerge clean

(Continue reading)

Daniel Ahlberg | 4 Feb 2003 16:03

Picon

GLSA: qt-dcgui


--------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-03
--------------------------------------------------------------------

PACKAGE : qt-dcgui
SUMMARY : file leaking
DATE    : 2003-02-04 15:03 UTC
EXPLOIT : remote

--------------------------------------------------------------------

From announcment: 

"All versions < 0.2.2 have a major security vulnerability in the 
directory parser. This bug allow a remote attacker to download files 
outside the sharelist. It's recommend that you upgrade the packages 
immediatly."

Read the full announcment at:
http://dc.ketelhot.de/pipermail/dc/2003-January/000094.html

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-p2p/qt-dcgui upgrade to qt-dcgui-0.2.4 as follows:

emerge sync
emerge -u qt-dcgui
emerge clean

(Continue reading)

Daniel Ahlberg | 5 Feb 2003 13:55

Picon

GLSA: bladeenc


--------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-04
--------------------------------------------------------------------

PACKAGE : bladeenc
SUMMARY : arbitrary code execution
DATE    : 2003-02-05 12:55 UTC
EXPLOIT : local

--------------------------------------------------------------------

From advisory: 

"A wave file let the attacker to execute all the code he want on the 
victim"

Read the full advisory at:
http://www.pivx.com/luigi/adv/blade942-adv.txt

SOLUTION

It is recommended that all Gentoo Linux users who are running
media-sound/bladeenc upgrade to bladeenc-0.94.2-r1 as follows:

emerge sync
emerge -u bladeenc
emerge clean

--------------------------------------------------------------------

(Continue reading)

Aycan IRICAN | 7 Feb 2003 19:54

Picon

uml_net setuid


RHSA-2003:056-08

chmod -s /usr/bin/uml_net

--

-- 
Aycan IRICAN
Core Computer Security Group
Security Architect & SysAdm
Ankara / Turkiye

Daniel Ahlberg | 17 Feb 2003 10:17

Picon

GLSA: mailman


---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-05
---------------------------------------------------------------------

PACKAGE : mailman
SUMMARY : cross site scripting
DATE    : 2003-02-17 09:16 UTC
EXPLOIT : remote

---------------------------------------------------------------------

The email variable and the default error page in mailmain 2.1 contains 
cross site scripting vulnerabilities.

Read the full advisory at:
http://marc.theaimsgroup.com/?l=bugtraq&m=104342745916111&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-mail/mailman upgrade to mailman-2.1.1 as follows:

emerge sync
emerge -u mailman
emerge clean

---------------------------------------------------------------------
aliz <at> gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
---------------------------------------------------------------------

(Continue reading)

Daniel Ahlberg | 17 Feb 2003 15:41

Picon

GLSA: syslinux


---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-06
---------------------------------------------------------------------

PACKAGE : syslinux
SUMMARY : security issues in installer
DATE    : 2003-02-17 14:40 UTC
EXPLOIT : local

---------------------------------------------------------------------

From syslinux changelog:

"Security flaws have been found in the SYSLINUX installer when running 
setuid root. Rewrite the SYSLINUX installer so it uses mtools instead. 
It therefore now requires mtools (specifically mcopy and mattrib) to 
exist on your system, but it will not require root privileges and 
SHOULD NOT be setuid."

SOLUTION

It is recommended that all Gentoo Linux users who are running
sys-apps/syslinux upgrade to syslinux-2.02 as follows:

emerge sync
emerge -u syslinux
emerge clean

---------------------------------------------------------------------

(Continue reading)

Daniel Ahlberg | 17 Feb 2003 15:48

Picon

GLSA: w3m


---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-07
---------------------------------------------------------------------

PACKAGE : w3m
SUMMARY : missing HTML quoting
DATE    : 2003-02-17 14:47 UTC
EXPLOIT : remote

---------------------------------------------------------------------

From w3m release notes:

"Hironori SAKAMOTO  found another security 
vulnerability in w3m 0.3.2.x that w3m will miss to escape html tag 
in img alt attribute, so malicious frame html may deceive you to 
access your local files, cookies and so on."

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-www/w3m upgrade to w3m-0.3.2.2 as follows:

emerge sync
emerge -u w3m
emerge clean

---------------------------------------------------------------------
aliz <at> gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz

(Continue reading)

Daniel Ahlberg | 18 Feb 2003 10:10

Picon

GLSA: nethack


---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-08
---------------------------------------------------------------------

PACKAGE : nethack
SUMMARY : buffer overflow
DATE    : 2003-02-18 09:10 UTC
EXPLOIT : local

---------------------------------------------------------------------

Overflowing a buffer in nethack may lead to privelige escalation to
games uid.

Read the full advisory at:
http://marc.theaimsgroup.com/?l=bugtraq&m=104489201032144&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
app-games/nethack upgrade to nethack-3.4.0-r6 as follows:

emerge sync
emerge -u nethack
emerge clean

---------------------------------------------------------------------
aliz <at> gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
---------------------------------------------------------------------

(Continue reading)

Daniel Ahlberg | 19 Feb 2003 14:28

Picon

GLSA: mod_php php


---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-09
---------------------------------------------------------------------

PACKAGE : mod_php php
SUMMARY : arbitrary code execution
DATE    : 2003-02-19 13:28 UTC
EXPLOIT : local

---------------------------------------------------------------------

From release notes:

"PHP contains code for preventing direct access to the CGI binary with 
configure option "--enable-force-cgi-redirect" and php.ini option 
"cgi.force_redirect". In PHP 4.3.0 there is a bug which renders these 
options useless."

Read the full release notes at:
http://www.php.net/release_4_3_1.php

SOLUTION

It is recommended that all Gentoo Linux users who are running
dev-php/mod_php and/or dev-php/php upgrade to php-4.3.1 
and/or mod_php-4.3.1 as follows:

emerge sync
emerge -u mod_php and/or emerge -u php

(Continue reading)

Group

gmane.linux.gentoo.security.

Search Archive

Page

1 | 2 | 3

Articles in period: 21

February 2003

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

Ruxcon 2013 Call For Papers (7 May 2013)
Breakpoint 2013 Call For Papers (30 Apr 2013)
CVE-2012-3547 vulnerability in net-dialup/freeradius (11 Sep 2012)
Breakpoint 2012 Call For Papers (10 May 2012)
Ruxcon 2012 Call For Papers (19 Apr 2012)
(unknown) (9 Dec 2011)
CVE-2011-4313 - BIND 9 Resolver crashes after logging an error in quer (17 Nov 2011)
No GLSA since January?!? (26 Aug 2011)
No GLSA since January?!? (26 Aug 2011)
No GLSA since January?!? (26 Aug 2011)
Ruxcon 2011 Final Call For Papers (15 Aug 2011)
Invitation to connect on LinkedIn (10 Aug 2011)
Ruxcon 2011 Call For Papers (17 May 2011)
(unknown) (5 Jan 2011)
#342619 RESOLVED WONTFIX (26 Oct 2010)
Kernel Security Update Target Delay? (17 Oct 2010)
Kernel Security Update Target Delay? (26 Sep 2010)
Security team meeting - September 1 at 18:30 UTC (20:30 CEST) (30 Aug 2010)
Ruxcon 2010 Final Call For Papers (20 Aug 2010)
portage/rsync question (6 Apr 2010)
gmonstart / jvregisterclasses in tons of binaries with commands,malwar (17 Dec 2009)

Archives

1	May 2013
1	April 2013
1	September 2012
1	May 2012
1	April 2012
1	December 2011
2	November 2011
30	August 2011
1	May 2011
1	January 2011
15	October 2010
9	September 2010
3	August 2010
8	April 2010
5	December 2009
5	June 2009
4	May 2009
5	March 2009
5	January 2009
2	October 2008
3	August 2008
10	July 2008
4	May 2008
7	April 2008
29	March 2008
68	February 2008
4	September 2007
4	August 2007
2	May 2007
19	April 2007
1	February 2007
7	December 2006
24	November 2006
41	October 2006
21	September 2006
23	August 2006
25	July 2006
5	May 2006
22	April 2006
26	March 2006
54	February 2006
20	January 2006
4	December 2005
78	November 2005
127	October 2005
55	September 2005
15	August 2005
45	June 2005
34	May 2005
54	April 2005
65	March 2005
80	February 2005
104	January 2005
69	December 2004
269	November 2004
13	October 2004
23	September 2004
86	August 2004
126	July 2004
33	June 2004
69	May 2004
117	April 2004
196	March 2004
78	February 2004
147	January 2004
74	December 2003
30	November 2003
32	October 2003
80	September 2003
22	August 2003
14	July 2003
33	June 2003
25	May 2003
72	April 2003
120	March 2003
18	February 2003
24	January 2003
34	December 2002
12	November 2002
35	October 2002
23	September 2002
22	August 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template