Linux Advisory Watch - August 30th 2002

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  August 30th, 2002                        Volume 3, Number 35a |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                Benjamin Thomas
               dave@linuxsecurity.com     ben@linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.  
It includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for kirssi, mailman, postgresql, gaim,
xinetd, python, ethereal, kde, and hylafax.  The vendors include
Conectiva, Debian, Gentoo, Mandrake, and Red Hat.

FREE Apache SSL Guide from Thawte Certification Do your online customers
demand the best available protection of their personal information?
Thawte's guide explains how to give this to your customers by implementing
SSL on your Apache Web Server. Click here to get our FREE Thawte Apache
Guide:

http://www.gothawte.com/rd364.html 


FEATURE: PHP Secure Installation
As we know that the vulnerabilities in PHP are increasing day by day there
comes the need to secure the PHP installation to the highest level. Due to
its popularity and its wide usage most of the developers and the
administrators will be in trouble if they don't take appropriate steps on
security issues during the installation.

http://www.linuxsecurity.com/feature_stories/feature_story-117.html

Find technical and managerial positions available worldwide.  Visit the
LinuxSecurity.com Career Center: http://careers.linuxsecurity.com


+---------------------------------+
|  Package: kirssi                | ----------------------------//
|  Date: 08-23-2002               |
+---------------------------------+
  
Description: 
The IRC client irssi is vulnerable to a denial of service condition.
The problem occurs when a user attempts to join a channel that has an
overly long topic description. When a certain string is appended to 

the topic, irssi will crash. 

Vendor Alerts: Intel IA-32 architecture: 
 http://security.debian.org/pool/updates/main/i/  
 irssi-text/irssi-text_0.8.4-3.1_i386.deb 
 Size/MD5 checksum:   695000 9557d0cce86def75e96636781c68716e 

 Red Hat Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-2306.html
 


+---------------------------------+
|  Package: mailman               | ----------------------------//
|  Date: 08-23-2002               |
+---------------------------------+
  
Description: 
Mailman versions prior to 2.0.12 contain a cross-site scripting
vulnerability in the processing of invalid requests to edit a
subscriber's list subscription options. 

 Vendor Alerts: Intel IA-32 architecture:  
 ftp://updates.redhat.com/7.3/en/os/i386/mailman-2.0.13-1.i386.rpm 
 17ff9d61c91358739215efced3c8090d 

 Red Hat Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/redhat_advisory-2307.html 
  
  
 Debian:  
 http://security.debian.org/pool/updates/main/m/mailman/ 
 mailman_2.0.11-1woody4_i386.deb 
 Size/MD5 checksum:   475002 64035fc874ed300ade121957bd550e24 
  
 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-2310.html 
 
 


+---------------------------------+
|  Package: postgresql            | ----------------------------//
|  Date: 08-23-2002               |
+---------------------------------+
  
Description: 
Due to recent security vulnerabilities reported on BugTraq, concerning
several buffer overruns found in PostgreSQL, the PostgreSQL Global
Development Team today released v7.2.2 of PostgreSQL that fixes these
vulnerabilities.

 Vendor Alerts: Gentoo: 

 PLEASE SEE VENDOR ADVISORY FOR UPDATE 

 Gentoo Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2309.html
 

  

+---------------------------------+
|  Package: gaim                  | ----------------------------//
|  Date: 08-23-2002               |
+---------------------------------+
  
Description: 
The developers of Gaim, an instant messenger client that combines
several different networks, found a vulnerability in the hyperlink
handling code. The 'Manual' browser command passes an untrusted
string to the shell without escaping or reliable quoting, permitting
an attacker to execute arbitrary commands on the users machine.
Unfortunately, Gaim doesn't display the hyperlink before the user
clicks on it.  Users who use other inbuilt browser commands aren't
vulnerable.
 
 Vendor Alerts: Debian: Intel IA-32 architecture: 
 http://security.debian.org/pool/updates/main/g/gaim/ 
 gaim_0.58-2.2_i386.deb 
 Size/MD5 checksum:   
 389256 bb1688d11f1e444e7116e3ce48d4b299 

 http://security.debian.org/pool/updates/main/g/gaim/ 
 gaim-common_0.58-2.2_i386.deb 
 Size/MD5 checksum:   
 606056 ff6443a2cc3be13f8d97f8c56f93bf05 

 http://security.debian.org/pool/updates/main/g/gaim/ 
 gaim-gnome_0.58-2.2_i386.deb 
 Size/MD5 checksum:   
 409108 028dc6cfa04b921f94500853d65f1069 

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-2311.html 
 

 Gentoo Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2313.html 
 
 Mandrake: 
 PLEASE SEE VENDOR ADVISORY FOR UPDATE 

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2319.html
 

  

+---------------------------------+
|  Package: xinetd                | ----------------------------//
|  Date: 08-23-2002               |
+---------------------------------+
  
Description: 
A vulnerability was discovered by Solar Designer in xinetd.  File
descriptors for the signal pipe that were introduced in version 2.3.4
are leaked into services started by xinetd, which can then be used to
talk to xinetd, resulting in a crash of xinetd. 

 Vendor Alerts: Mandrake 8.2:  
 8.2/RPMS/xinetd-2.3.7-1.1mdk.i586.rpm 
 1ae58d1e98290a5ddee12d5befc1ca81  

 8.2/RPMS/xinetd-ipv6-2.3.7-1.1mdk.i586.rpm 
 b8b28576800b4c42196dabd9c1fd27be  
 http://www.mandrakesecure.net/en/ftp.php 

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2312.html 

 

 

+---------------------------------+
|  Package: python                | ----------------------------//
|  Date: 08-23-2002               |
+---------------------------------+

Description: 
Zack Weinberg discovered an insecure use of a temporary file in
os._execvpe from os.py.  It uses a predictable name which could lead
execution of arbitrary code. 

 Vendor Alerts: Debian: Intel IA-32 architecture 
 http://security.debian.org/pool/updates/main/p/python/ 
 python-base_1.5.2-10potato12_i386.deb 
 Size/MD5 checksum:   825052 a2b34f89248287e5f61e1a9ae051b6ae 

 Debian Vendor Advisory:  
 http://www.linuxsecurity.com/advisories/debian_advisory-2314.html
 


+---------------------------------+
|  Package: ethereal              | ----------------------------//
|  Date: 08-28-2002               |
+---------------------------------+
  
Description: 
A buffer overflow in Ethereal 0.9.5 and earlier allows remote
attackers to cause a denial of service or execute arbitrary code via
the ISIS dissector 

 Vendor Alerts: Red Hat 

 ftp://updates.redhat.com/7.3/en/os/i386/
 ethereal-0.9.6-0.73.0.i386.rpm  
 44877a1c0ca46f36fbb647b17c5b9a3d  

 ftp://updates.redhat.com/7.3/en/os/i386/
 ethereal-gnome-0.9.6-0.73.0.i386.rpm 
 60e42f09e3c59ba841397f0fd655eda7  

 Red Hat Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/redhat_advisory-2316.html
 


+---------------------------------+
|  Package: kde                   | ----------------------------//
|  Date: 08-29-2002               |
+---------------------------------+

Description: 
This is a full update of the KDE desktop to the 3.0.3 version, the 
latest release by the project[1]. Besides containing several bugfixes
and enhancements, this update also fixes two security
vulnerabilities. 

 Vendor Alerts: Conectiva 
 PLEASE SEE VENDOR ADVISORY FOR UPDATE 

 Conectiva Vendor Advisory:  
 http://www.linuxsecurity.com/advisories/other_advisory-2317.html
 

  
+---------------------------------+
|  Package: hylafax               | ----------------------------//
|  Date: 08-29-2002               |
+---------------------------------+

Description: 
This is a full update of the KDE desktop to the 3.0.3 version, the
latest release by the project[1]. Besides containing several bugfixes
and enhancements, this update also fixes two security
vulnerabilities. 

 Vendor Alerts: Mandrake 
 PLEASE SEE VENDOR ADVISORY FOR UPDATE 

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2318.html
 

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux