Showing all newswire headlines

The mgetty-sendfax package contains a vulnerability which allows any user with access to the /var/tmp directory to destroy any file on any mounted filesystem.

xpdf as distributed in Debian GNU/Linux 2.2 suffered from two problems: 1. creation of temporary files was not done safely which made xpdf vulnerable to a symlink attack. 2. when handling URLs in documents no checking was done for shell metacharacters before starting the browser. This makes it possible to construct a document which cause xpdf to run arbitrary commands when the user views an URL.

imp as distributed in Debian GNU/Linux 2.2 suffered from insufficient checking of user supplied data: the IMP webmail interface did not check the $from variable which contains the sender address for shell metacharacters. This could be used to run arbitrary commands on the server running imp.

Several bugs were discovered in glibc which could allow local users to gain root privileges.

The default package selection in SuSE distributions includes apache. The configuration file that comes with the package contains two security relevant errors:

screen, a tty multiplexer, is installed suid root by default on SuSE Linux distributions. By supplying a thoughtfully designed string as the visual bell message, local users can obtain root privilege. Exploit information has been published on security forums.

The glibc implementations in all SuSE distributions starting with SuSE-6.0 have multiple security problems where at least one of them allows any local user to gain root access to the system.

Three locale-related vulnerabilities with glibc 2.1.3 were recently reported on BugTraq. These vulnerabilities could allow local users to gain root access.

Recently two problems have been found in the glibc suite, which could be used to trick setuid applications to run arbitrary code.

Recently two problems have been found in the glibc suite, which could be used to trick setuid applications to run arbitrary code.

A format string bug was recently discovered in screen which can be used to gain elevated privilages if screen is setuid. Debian 2.1 (slink) did ship screen setuid and the exploit can be used to gain root privilages. In Debian 2.2 (potato) screen is not setuid, and is not vulnerable to a root exploit. screen is, however, setgid utmp in Debian 2.2 (potato) and we recommend upgrading.

A root exploit was found in the /usr/bin/suidperl5.6.0 program that shipped with the Slackware 7.1 perl.tgz package.

Recently two problems have been found in the glibc suite, which could be used to trick setuid applications to run arbitrary code.

Existing Netscape Communicator/Navigator packages contain the following vulnerabilities:

Several bugs were discovered in glibc which could allow local users to gain root privileges.

The version of X-Chat that was distributed with Debian GNU/Linux 2.2 has a vulnerability in the URL handling code: when a user clicks on a URL X-Chat will start netscape to view its target. However it did not check the URL for shell metacharacters, and this could be abused to trick xchat into executing arbitraty commands.

The version of X-Chat that was distributed with Debian GNU/Linux 2.2 has a vulnerability in the URL handling code: when a user clicks on a URL X-Chat will start netscape to view its target. However it did not check the URL for shell metacharacters, and this could be abused to trick xchat into executing arbitraty commands.

The updated version of ntop (1.2a7-10) that was released on August 5 was found to still be insecure: it was still exploitable using buffer overflows. Using this technique it was possible to run arbitrary code as the user who ran ntop in web mode.

Updated usermode packages are now available for Red Hat Linux 6.0, 6.1, and 6.

Due to US-American export restrictions for cryptographical software, we are unable to provide update packages on our US ftp server http://ftp.suse.com. Instead, the packages can be found on http://ftp.suse.de. For

The legal issues have been resolved: Here are the links to download the SuSE Netscape update packages from our US-American ftp server: