Showing all newswire headlines

Updated glibc packages are available to fix two vulnerabilities in the resolver functions.

Updated mod_ssl packages are now available for Red Hat Linux 7, 7.1, 7.2, and 7.3. These updates incorporate a fix for an incorrect bounds check in versions of mod_ssl up to and including version

A vulnerability has been discovered in some resolver library functions. The affected code goes back to the resolver library shipped as part of BIND4; code derived from it has been included in later BIND releases as well as the GNU libc.

squid is a web proxy cache contained but not installed and activated by default on SuSE products.

New Squid packages are available which fix various security issues.

SuSE Security has issued two warnings and one SuSE Security Announcement on 25th and 26th of June concerning the vulnerabilities found in the openssh package that is contained and installed by default on most SuSE products. For a few days, the nature of the errors were unknown to the public, making it difficult for distributors to provide proper solutions against the problem. Now that details of the errors have been disclosed, we hereby re-release SuSE Security Announcement SuSE-SA:2002:023 (openssh) under a new announcement ID with links to a set of update packages that represent SuSE's permanent fix for the problems found.

The libapache-mod-ssl package provides SSL capability to the apache webserver. Recently, a problem has been found in the handling of .htaccess files, allowing arbitrary code execution as the web server user (regardless of ExecCGI / suexec settings), DoS attacks (killing off apache children), and allowing someone to take control of apache child processes - all trough specially crafted .htaccess files. More information about this vulnerability can be found at

Updated openssh packages are now available for Red Hat Linux 7, 7.1, 7.2, and 7.3. These updates fix an input validation error in OpenSSH.

This advisory is an update to DSA-134-3: this advisory contains updated information that is relevant to all Debian installations of OpenSSH (the ssh package). DSA-134-4 supersedes previous versions of DSA-134.

Updated mailman packages are now available for Red Hat Secure Web Server 3.2 (U.S.). These updates resolve a cross-site scripting vulnerability present in versions of Mailman prior to

The Apache Web server contains a security vulnerability which can be used to launch a denial of service attack, or in some cases, allow remote code execution. Red Hat Secure Web server is based on the Apache Web server and the secureweb package has been updated to fix this denial of service vulnerability.

"While testing for Oracle vulnerabilities, Mark Litchfield discovered a denial of service attack for Apache on Windows. Investigation by the Apache Software Foundation showed that this issue has a wider scope, which on some platforms results in a denial of service vulnerability, while on some other platforms presents a potential a remote exploit vulnerability."

ISS and the OpenSSH team just released advisories concerning the OpenSSH vulnerability.

This advisory is an update to DSA-134-2: the changes mainly deal with packaging issues; if you have already successfully installed an openssh package from a previous DSA-134 advisory you may disregard this message.

There's a new vulnerabilty in the OpenSSH daemon, of which we were notified yesterday.

This advisory is an update to DSA-134-1: some extra information is provided on broken or changed functionality in this new release and packages for Debian GNU/Linux 2.2/potato are now available.

There's a new vulnerabiltiy in the OpenSSH daemon. The OpenSSH/OpenBSD team does not release any details concerning this issue, except:

Details of an upcoming OpenSSH vulnerability will be published early next week. According to the OpenSSH team, this remote vulnerability cannot be exploited when sshd is running with privilege separation. The priv separation code is significantly improved in version 3.3 of OpenSSH which was released on June 21st. Unfortunately, there are some known problems with this release; compression does not work on all operating systems and the PAM support has not been completed. The OpenSSH team encourages everyone to upgrade to version 3.3 immediately and enable privilege separation.

Theo de Raadt announced that the OpenBSD team is working with ISS on a remote exploit for OpenSSH (a free implementation of the Secure SHell protocol). They are refusing to provide any details on the vulnerability but instead are advising everyone to upgrade to the latest release, version 3.3.

[ Please note that this advisory supersedes the previous MDKSA-2002:039 and MDKSA-2002:039-1 advisories. ] MandrakeSoft is urging all users of Mandrake Linux to update their Apache installations immediately. What was previously thought to have been a DoS-only condition has now been proven to be more than that; exploitable conditions have been discovered on both 32bit and 64bit platforms.