Linux Advisory Watch - November 16th 2001

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  November 16th, 2001                      Volume 2, Number 46a |
+----------------------------------------------------------------+
 
  Editors:     Dave Wreski                Benjamin Thomas
               dave@linuxsecurity.com     ben@linuxsecurity.com
 
 
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.

This week advisories were released for webalizer, ssh-nonfree, ssh-socks,
postix, and the Korean release of Red Hat.  The vendors include Conectiva,
Debian, and Red Hat.  Are you looking for more Linux security related
information?  Hal Burgiss has finished the first version of his very
thorough Linux Security Quick-Start Guide. In an interview,
LinuxSecurity.com speaks with Hal about his documents and Linux security.

http://www.linuxsecurity.com/feature_stories/feature_story-93.html 
  
  
  ** FREE Apache SSL Guide from Thawte ** 

 Planning Web Server Security? Find out how to implement SSL! Get
 the free Thawte Apache SSL Guide and find the answers to all your 
 Apache SSL security issues and more at: 

 http://www.gothawte.com/rd92.html 


Setup a Rock-Solid Server in Minutes!  The EnGarde Linux distribution was
designed from the ground up as a secure solution, starting with the
principle of least privilege, and carrying it through every aspect of its
implementation.
 
http://www.engardelinux.org 

Take advantage of our Linux Security discussion list!  This mailing list
is for general security-related questions and comments. To subscribe send
an e-mail to security-discuss-request@linuxsecurity.com with "subscribe"
as the subject.
 
 
 
+---------------------------------+
|  webalizer                      | ----------------------------//
+---------------------------------+

Magnux Software[1] discovered and publicized[2] a cross site scripting
vulnerability[3] in webalizer that allows an attacker to insert malicious
HTML tags directly into the generated reports. Doing so, he/she can force
the viewer (using a web browser) to visit some URL or even execute some
unwanted code (like javascripts), which is an unexpected behaviour.

 Conectiva: 
 ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ 
 webalizer-2.01_09-1U70_1cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ 
 webalizer-doc-2.01_09-1U70_1cl.i386.rpm 

 Conectiva Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-1692.html


 
+---------------------------------+
|  ssh-nonfree, ssh-socks         | ----------------------------//
+---------------------------------+ 

We have received reports that the "SSH CRC-32 compensation attack detector
vulnerability" is being actively exploited. This is the same integer type
error previously corrected for OpenSSH in DSA-027-1. OpenSSH (the Debian
ssh package) was fixed at that time, but ssh-nonfree and ssh-socks were
not.

 Debian Intel ia32 architecture: 
  
 http://security.debian.org/dists/potato/updates/non-free/binary-i386

 /ssh-askpass-nonfree_1.2.27-6.2_i386.deb 
 MD5 checksum: e43c6b7ad3a6cf71d07f528ad9adb34c 
  

 http://security.debian.org/dists/potato/updates/non-free/binary-i386/
 ssh-nonfree_1.2.27-6.2_i386.deb 
 MD5 checksum: e4f6db9acb54b9e3dc75315a66207840 
  

 http://security.debian.org/dists/potato/updates/non-free/binary-i386/
 ssh-socks_1.2.27-6.2_i386.deb 
 MD5 checksum: 0eab3e6250c3aa4130ec5a2f719531e6 

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-1694.html




 
+---------------------------------+
|  postfix                        | ----------------------------//
+---------------------------------+
  
The Postfix SMTP server maintains a record of SMTP conversations for
debugging purposes. Depending on local configuration details this record
is mailed to the postmaster whenever an SMTP session terminates with
errors. During code maintenance, a stupid error was introduced into the
code due to which the SMTP session log could grow to an unreasonable size.  
This stupid error made Postfix vulnerable to a memory exhaustion attack.

 Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-1696.html

  

 
+---------------------------------+
|  Korean Red Hat Release         | ----------------------------//
+---------------------------------+

Due to the kernel used in the Red Hat Linux 7.1 Korean installation
program, some files are written by the installation program with the wrong
permissions.

 PLEASE SEE VENDOR ADVISORY 

 Red Hat: 
 http://www.linuxsecurity.com/advisories/redhat_advisory-1693.html 
 

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux