Showing all newswire headlines

The Apache Web server contains a security vulnerability which can be used to launch a denial of service attack, or in some cases, allow remote code execution.

The Apache Web server contains a security vulnerability which can be used to launch a denial of service attack, or in some cases, allow remote code execution.

There is a bug in the way the Apache web server handles HTTP requests that use "chunked mode". Chunked mode is a HTTP 1.1 feature that allows a client to send data as a sequence of chunks rather than en bloc. This is useful if it doesn't know the overall length of the content at the time it starts transmitting.

Mark Litchfield found a denial of service attack in the Apache web-server. While investigating the problem the Apache Software Foundation discovered that the code for handling invalid requests which use chunked encoding also might allow arbitrary code execution on 64 bit architectures.

The DSA-131-1 advisory for the Apache chunk handling vulnerability contained an error and was missing some essential information:

Mark Litchfield found a denial of service attack in the Apache web-server. While investigating the problem the Apache Software Foundation discovered that the code for handling invalid requests which use chunked encoding also might allow arbitrary code execution on 64 bit architectures.

The LPRng print spooler, as shipped in Red Hat Linux 7.x, accepts all remote print jobs by default.

Updated mailman packages are now available for Red Hat Linux 7.2 and 7.3. These updates resolve a cross-site scripting vulnerability present in versions of Mailman prior to

Updated mailman packages are now available for Red Hat Power Tools 7 and 7.1. These updates resolve a cross-site scripting vulnerability present in versions of Mailman prior to

Updated ethereal packages are available which fix several security problems.

There is a bug in the BIND9 name server that is triggered when processing certain types of DNS replies. When this happens an assertion will fail, and named will log a message to the system log before exiting. This means a remote attacker can easily shut down the name server process.

Updated packages are available for GNU Ghostscript which fix a vulnerability found during Postscript interpretation.

Version 9 of the bind name prior to version 9.

A security issue in XChat allows a malicious server to execute arbitrary commands.

A vulnerability was discovered in the BIND9 DNS server in versions prior to 9.2.1. An error condition will trigger the shutdown of the server when the rdataset parameter to the dns_message_findtype() function in message.c is not NULL as expected. This condition causes the server to assert an error message and shutdown the BIND server. The error condition can be remotely exploited by a special DNS packet. This can only be used to create a Denial of Service on the server; the error condition is correctly detected, so it will not allow an attacker to execute arbitrary code on the server.

Updated nss_ldap packages are now available for Red Hat Linux 6.2, 7, 7.1, 7.2, and 7.3. These packages fix a string format vulnerability in the pam_ldap module. [Update Jun 4, 2002] Replacement packages have been added for Red Hat Linux 6.

Ethereal versions prior to 0.9.3 were vulnerable to an allocation error in the ASN.1 parser. This can be triggered when analyzing traffic using the SNMP, LDAP, COPS, or Kerberos protocols in ethereal. This vulnerability was announced in the ethereal security advisory enpa-sa-00003 and has been given the proposed CVE id of CAN-2002-0353. This issue has been corrected in ethereal version 0.8.0-3potato for Debian 2.2 (potato).

We have received reports that in.uucpd, an authentication agent in the uucp package, does not properly terminate certain long input strings. This has been corrected in uucp package version 1.06.1-11potato3 for Debian 2.2 (potato) and in version 1.06.1-18 for the upcoming (woody) release.

Fermin J. Serna discovered a problem in the dhcp server and client package from versions 3.0 to 3.0.1rc8, which are affected by a format string vulnerability that can be exploited remotely.

Updated tcpdump, libpcap, and arpwatch packages are available for Red Hat Linux 6.2 and 7.x. These updates close a buffer overflow when handling NFS packets.