+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | June 14th, 2002 Volume 3, Number 24a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for mozilla, mailman, LPRng, and ghostscript. The vendors include Caldera, Mozilla, and Red Hat. Last week, Yellow Dog Linux released a number of advisories; all packages should be updated immediately. The advisories include ethereal, bind, xchat, tcpdump, ghostscript, nss_ldap, and imap. Linux Advisory Watch - June 7th 2002 http://www.linuxsecurity.com/articles/forums_article-5104.html ## Developing with open standards? Demanding High Performance? ## Catch the Oracle9i JDeveloper wave now and check out how built-in profilers and CodeCoach make your Java code tighter and faster than ever before. Download your FREE copy of Oracle9i J Developer Today. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=oracle1 FEATURE: Introduction to Nessus, a Vulnerability Scanner Nessus is a vulnerability scanner which performs scanning a target network to seek for vulnerabilities in the network, such as, software bugs, backdoors, and etc. The program is developed by Renaud Deraison. http://www.linuxsecurity.com/feature_stories/nessusintro-part1.html +---------------------------------+ | mozilla | ----------------------------// +---------------------------------+ When loading pages with a specially prepared (or erroneous) stylesheet, mozilla and X windows (not restricted to XFree) exhibit any of two undesireable behaviours. This seems to depend on the local system configuration, especially to the presence of xfs, but bug reports so far are inconclusive. PLEASE SEE VENDOR ADVISORY FOR UPDATE Mozilla Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2128.html +---------------------------------+ | mailman | ----------------------------// +---------------------------------+ Updated mailman packages are now available for Red Hat Power Tools 7 and 7.1. These updates resolve a cross-site scripting vulnerability present in versions of Mailman prior to 2.0.1 Red Hat Powertools 7.1: i386: ftp://updates.redhat.com/7.1/en/powertools/i386/ mailman-2.0.11-0.7.1.i386.rpm 7741cc4b43b2bca2ed4d6ddc0bbc229e Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2129.html +---------------------------------+ | LPRng | ----------------------------// +---------------------------------+ With its default configuration, LPRng will accept job submissions from any host, which is not appropriate in a workstation environment. We are grateful to Matthew Caron for pointing out this configuration problem. Red Hat Linux 7.3: i386: ftp://updates.redhat.com/7.3/en/os/i386/LPRng-3.8.9-4.i386.rpm a6d4b8b6cb30cddb686c102e27997d6d Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2131.html +---------------------------------+ | ghostscript | ----------------------------// +---------------------------------+ An untrusted PostScript file that uses .locksafe or .setsafe to reset the current page device can force the ghostscript program to execute arbitrary commands. OpenLinux 3.1.1 Server: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/ Server/current/RPMS ghostscript-6.51-10.i386.rpm cfabdbccacd4de0268ce15d1dd6a0408 ghostscript-doc-6.51-10.i386.rpm f9bb38edc64d718f8b943d395de7c75a ghostscript-fonts-6.51-10.i386.rpm 70a913d9427ce45367710498bab8e065 ghostscript-fonts-cid-6.51-10.i386.rpm 9e2f736b44b9bfa60e51c24847637d48 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2133.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------