Showing all newswire headlines

The following packages are now available for Multi Network Firewall 8.2 and bring it up to the same errata level as Mandrake Linux 8.2 with all patches and updates available to date applied.

Updated vte packages that fix a vulnerability in gnome-terminal are available for Red Hat Linux 8.0.

A vulnerability was discovered in the VNC server script that generates an X cookie, used by X authentication. The script generated a cookie that was not strong enough and allow an attacker to more easily guess the authentication cookie, thus obtaining unauthorized access to the VNC server.

A vulnerability was discovered in lynx, a text-mode web browser. The HTTP queries that lynx constructs are from arguments on the command line or the $WWW_HOME environment variable, but lynx does not properly sanitize special characters such as carriage returns or linefeeds. Extra headers can be inserted into the request because of this, which can cause scripts that use lynx to fetch data from the wrong site from servers that use virtual hosting.

A vulnerability has been discovered in OpenSSL, a Secure Socket Layer (SSL) implementation. In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and demonstrate a timing-based attack on CBC cipher suites used in SSL and TLS. OpenSSL has been found to vulnerable to this attack.

A vulnerability was discovered in the Kerberos FTP client. When the client retrieves a file that has a filename beginning with a pipe character, the FTP client will pass that filename to the command shell in a system() call. This could allow a malicious remote FTP server to write to files outside of the current directory or even execute arbitrary commands as the user using the FTP client.

In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS.

A problem has been discovered in slocate, a secure locate replacement. A buffer overflow in the setuid program slocate can be used to execute arbitrary code as superuser.

Updated VNC packages are available to fix a challenge replay vulnerability and a weak cookie vulnerability.

Updated shadow-utils packages correct a bug that caused the useradd tool to create mail spools with incorrect permissions.

A buffer overflow was discovered in the wordwrap() function in versions of PHP greater than 4.1.2 and less than 4.3.0. Under certain circumstances, this buffer overflow can be used to overwite heap memory and could potentially lead to remote system compromise.

A remote root vulnerability in slave setups and some buffer overflows in the network information server code were discovered by the apcupsd developers. They have been fixed in the latest unstable version, 3.10.5 which contains additional enhancements like USB support, and the latest stable version, 3.8.6.

Andreas Beck discovered that the pam_xauth module would forward authorization information from the root account to unprivileged users. This can be exploited by a local attacker to gain access to the root user's X session. In order for it to be successfully exploited, the attacker would have to somehow get the root user to su to the account belonging to the attacker.

The Apache module mod_php4 supports the widely used Web scripting language PHP. Under some special circumstances a buffer overflow can be triggered in mod_php4's wordwrap() function. This buffer overflow can be used to overwrite heap memory and possibly can lead to remote system compromise. Just mod_php4 versions greater than 4.1.2 and less than 4.3.0 are vulnerable. This affects SuSE Linux 8.1 and all SuSE Linux Enterprise Server 8 based products.

IMP is a well known PHP-based web-mail system. Some SQL-injection vulnerabilities were found in IMP 2.x that allow an attacker to access the underlying database. No authentication is needed to exploit this bug. An attacker can gain access to protected information or, in conjunction with PostgreSQL, execute shell commands remotely.

This update corrects a library dependency for the libcupsys2 package which sneaked in with the last security update to CUPS for the stable distribution (woody).

Hironori Sakamoto, one of the w3m developers, found two security vulnerabilities in w3m and associated programs. The w3m browser does not properly escape HTML tags in frame contents and img alt attributes. A malicious HTML frame or img alt attribute may deceive a user to send his local cookies which are used for configuration. The information is not leaked automatically, though.

The util-linux package provides the mcookie utility, a tool for generating random cookies that can be used for X authentication. The util-linux packages that were distributed with Mandrake Linux 8.2 and 9.0 had a patch that made it use /dev/urandom instead of /dev/random, which resulted in the mcookie being more predictable than it would otherwise be. This patch has been removed in these updates, giving mcookie a better source of entropy and making the generated cookies less predictable. Thanks to Dirk Mueller for pointing this out.

Hironori Sakamoto, one of the w3m developers, found two security vulnerabilities in w3m and associated programs. The w3m browser does not properly escape HTML tags in frame contents and img alt attributes. A malicious HTML frame or img alt attribute may deceive a user to send his local cookies which are used for configuration. The information is not leaked automatically, though.

New fileutils packages for Red Hat Linux 6.2, 7.0, 7.1, 7.2 and 7.3 fix a race condition in recursive remove and move commands.