Showing all newswire headlines

The powerful text widget in the Tk toolkit offers many facilities to writers of Tcl, Perl and Python scripts.

Using Perl and CGIScripter to generate multi-platform Perl CGI code.

Using an X-based client server model to maintain network consistency.

Perl for work and for fun, an introduction to CVS and developing for Linux are covered in this round of mini book reviews.

The ISC (Internet Software Consortium) dhcp package is an imple- mentation of the "Dynamic Host Configuration Protocol" (DHCP). An internal source code audit done by ISC revealed several buffer overflows in the code which is responsible to handle dynamic DNS requests. These bugs allow an attacker to gain remote access to the dhcp server if the dynamic DNS feature is enabled. Dynamic DNS is not enabled by default on SuSE Linux.

Multiple vulnerabilities were discovered in the Common Unix Printing System (CUPS). Several of these issues represent the potential for a remote compromise or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems:

During a code review of the susehelp package the SuSE Security Team recognized that the security checks done by the susehelp CGI scripts are insufficient. Remote attackers can insert certain characters in CGI queries to the susehelp system tricking it into executing arbitrary code as the "wwwrun" user. Please note that this is only a vulnerability if you have a web server running and configured to allow access to the susehelp system by remote sites. We nevertheless recommend an update of this package. As a temporary workaround you may un-install the susehelp package by issuing the following command as root:

New DHCP packages are available for Slackware 8.1 and -current to fix buffer overflow security problems.

Multiple instances of improperly quoted shell command execution exist in KDE 2.x up to and including KDE 3.0.5. KDE fails to properly quote parameters of instructions passed to the shell for execution. These parameters may contain data such as filenames, URLs, email address, and so forth; this data may be provided remotely to a victim via email, web pages, files on a network filesystem, or other untrusted sources.

Several potential vulnerabilities were detected by the ISC (Internet Software Consortium) in their dhcp server software. The vulnerabilities affect the minires library and may be exploitable as stack buffer overflows, which could lead to remote code execution. All Mandrake Linux users are encouraged to upgrade; only Mandrake Linux 8.0 came with dhcp 2.x and is not vulnerable.

The Internet Software Consortium discoverd several vulnerabilities during an audit of the ISC DHCP Daemon. The vulnerabilities exist in error handling routines within the minires library and may be exploitable as stack overflows. This could allow a remote attacker to execute arbitrary code under the user id the dhcpd runs under, usually root. Other DHCP servers than dhcp3 doesn't seem to be affected.

Two vulnerabilities have been discovered in Bugzilla, a web-based bug tracking system, by its authors. The Common Vulnerabilities and Exposures Project identifies the following vulnerabilities:

Updated vim packages are now available for Red Hat Linux. These updates resolve a security issue when opening a specially crafted text file.

Several potential stack overflow vulnerabilities affect the ISC DHCPD server. This advisory provides fixed packages for Red Hat Linux 8.0.

Updated MySQL packages are available for Red Hat Linux 7, 7.1, 7.2, 7.3, and 8.0 which fix security vulnerabilities found in the MySQL server.

The advisory DSA 229-1 contained a typo in one file which could cause certain installations to fail suddenly.

Jouko Pynnonen discovered a probem with IMP, a web based IMAP mail program. Using carefully crafted URLs a remote attacker is able to inject SQL code into SQL queries without proper user authentication. Even though results of SQL queries aren't directly readable from the screen, an attacker might. update his mail signature to contain wanted query results and then view it on the preferences page of IMP.

A review was completed by the SuSE Security Team on the OpenLDAP server software, and this audit revealed several buffer overflows and other bugs that remote attackers could exploit to gain unauthorized access to the system running the vulnerable OpenLDAP servers. Additionally, various locally exploitable bugs in the OpenLDAP v2 libraries have been fixed as well.

A vulnerability was discovered by Jan Knutar in leafnode that Mark Brown pointed out could be used in a Denial of Service attack. This vulnerability causes leafnode to go into an infinite loop with 100% CPU use when an article that has been crossposed to several groups, one of which is the prefix of another, is requested by it's Message-ID.

Updated PostgreSQL packages are available for Red Hat Linux 7.3 and 8.0. These packages correct several security and other bugs. A separate advisory deals with updated PostgreSQL packages for Red Hat Linux 6.2, 7, 7.1, and 7.