+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| January 4th, 2001 Volume 3, Number 1a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
The week advisories were released for mailman, mutt, glibc, and libgtop.
The vendors include Conectiva, Debian, and Red Hat. Packages such as
mailman and glibc were referenced in last week's newsletter. If you have
not had a chance to patch your system it is available at the following
URL:
http://www.linuxsecurity.com/articles/forums_article-4214.html
Guardian Digital Launches Online Career Center - Guardian Digital,
pioneers in Linux and open source security, today released its worldwide
online career center. Encompassing more than 30,000 jobs within the Linux
and open source fields, ** http://careers.linuxsecurity.com ** has the
hottest jobs within high profile industries including computer security
and consulting.
Why be vulnerable? Its your choice. - Are you looking for a solution that
provides the applications necessary to easily create thousands of virtual
Web sites, manage e-mail, DNS, firewalling database functions for an
entire organization, and supports high-speed broadband connections all
using a Web-based front-end? EnGarde Secure Professional provides those
features and more! Want to learn more?
--> http://store.guardiandigital.com/html/eng/493-AA.shtml
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
+---------------------------------+
| mailman | ----------------------------//
+---------------------------------+
A server running Mailmain versions prior to 2.0.8 will send certain
user-modifiable data to clients without escaping embedded tags. This data
may contain scripts which will then be executed by an unwary client,
possibly transmitting private information to a third party.
Red Hat Secure Web Server 3.2: i386:
ftp://updates.redhat.com/other_prod/secureweb/3.2/
i386/mailman-2.0.8-0.6.2.i386.rpm
c0b1a635356bb4c05218a4b49099bd1b
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1771.html
+---------------------------------+
| mutt | ----------------------------//
+---------------------------------+
mutt-1.2.5.1 is released as an update to the last stable version of mutt,
mutt-1.2.5. The ONLY relevant change in this version is the fix mentioned
above. No other bugs present in 1.2.5 have been fixed. You only want to
upgrade to this version of mutt if you absolutely have to stick with the
mutt-1.2 series.
Mutt Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1772.html
Debain Intel IA-32 architecture:
http://security.debian.org/dists/stable/updates/
main/binary-i386/mutt_1.2.5-5_i386.deb
MD5 checksum: d72fa58b0914762674648a68d410b4b9
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1773.html
+---------------------------------+
| glibc | ----------------------------//
+---------------------------------+
The GNU C Library (glibc) is the standard library used by almost any
program in a common linux system. There is a buffer overflow[1] discovered
by Flávio Veloso in the glibc's glob() function. By triggering this
vulnerability[2], an attacker could make a program which uses that
function execute arbitrary code.
PLEASE SEE VENDOR ADVISORY
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1774.html
+---------------------------------+
| libgtop | ----------------------------//
+---------------------------------+
There are two libgtop_daemon vulnerabilities addressed by this advisory:
The first one[1] was found by the Laboratory intexxia and is related to a
format string vulnerability in the libgtop_daemon logging mechanisms. The
second[2] was found later[3] by Flavio Veloso when investigating the first
and is a buffer overflow in the same part of the code. By exploiting any
of the vulnerabilities an attacker would be able to execute arbitrary code
with the privileges of the user libgtop_daemon is running as.
Conectiva:
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
libgtop-1.0.13-U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
libgtop-devel-1.0.13-U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
libgtop-devel-static-1.0.13-U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
libgtop-examples-1.0.13-U70_2cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1775.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
