[eddie5659]

Hiya

XBoard -icshost buffer overflow

Description:

XBoard is a chess program graphical interface for Unix-based operating systems. XBoard versions 4.2.7 and earlier are vulnerable to a denial of service attack, caused by a stack-based buffer overflow. A local attacker can supply a specially-crafted -icshost command to overflow the buffer and execute arbitrary code on the system.

Platforms Affected:

Tim Mann XBoard 4.2.7 and prior
Various Unix Any version
Remedy:

No remedy available as of March 2004.

Consequences:

Gain Privileges

http://xforce.iss.net/xforce/xfdb/15362

Regards

eddie

[eddie5659]

pwlib

PWLib is a cross-platform class library designed to support the OpenH323
project. OpenH323 provides an implementation of the ITU H.323
teleconferencing protocol, used by packages such as Gnome Meeting.

---------------------------------------------------------------------
Update Information:

A test suite for the H.225 protocol (part of the H.323 family) provided
by the NISCC uncovered bugs in PWLib prior to version 1.6.0. An
attacker could trigger these bugs by sending carefully crafted messages
to an application. The effects of such an attack can vary depending on
the application, but would usually result in a Denial of Service. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0097 to this issue.

Users are advised to upgrade to the update packages, which contain
backported security fixes and are not vulnerable to these issues.

Red Hat would like to thank Craig Southeren of the OpenH323 project for
providing the fixes for these issues.


This update can be downloaded from:
http://download.fedora.redhat.com/pu...ore/updates/1/



http://www.linuxsecurity.com/advisor...sory-4097.html


---------


kernel-source-2.2.20, kernel-image-2.2.20-i386, kernel-image-2.2.20-reiserfs-i386, kernel-image-2.2.20-amiga, kernel-image-2.2.20-atari, kernel-image-2.2.20-bvme6000, kernel-image-2.2.20-mac, kernel-image-2.2.20-mvme147, kernel-image-2.2.20-mvme16x, kernel-patch-2.2.20-powerpc

Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical
security vulnerability in the memory management code of Linux inside
the mremap(2) system call. Due to flushing the TLB (Translation
Lookaside Buffer, an address cache) too early it is possible for an
attacker to trigger a local root exploit.

The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the
respective kernel series, though. We formerly believed that the
exploitable vulnerability in 2.4.x does not exist in 2.2.x which is
still true. However, it turned out that a second (sort of)
vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a
different exploit, of course.

For the stable distribution (woody) this problem has been fixed in
the following versions and architectures:

kernel-source-2.2.20 source 2.2.20-5woody3
kernel-image-2.2.20-i386 i386 2.2.20-5woody5
kernel-image-2.2.20-reiserfs-i386 i386 2.2.20-4woody1
kernel-image-2.2.20-amiga m68k 2.20-4
kernel-image-2.2.20-atari m68k 2.2.20-3
kernel-image-2.2.20-bvme6000 m68k 2.2.20-3
kernel-image-2.2.20-mac m68k 2.2.20-3
kernel-image-2.2.20-mvme147 m68k 2.2.20-3
kernel-image-2.2.20-mvme16x m68k 2.2.20-3
kernel-patch-2.2.20-powerpc powerpc 2.2.20-3woody1

For the unstable distribution (sid) this problem will be fixed soon
for the architectures that still ship a 2.2.x kernel package.

We recommend that you upgrade your Linux kernel package.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody



http://www.linuxsecurity.com/advisor...sory-4096.html

----------------


OpenLinux

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to these issues:

CAN-2003-0854 ls in the fileutils or coreutils packages allows
local users to consume a large amount of memory via a large -w
value, which can be remotely exploited via applications that use
ls, such as wu-ftpd.

CAN-2003-0853 An integer overflow in ls in the fileutils or
coreutils packages may allow local users to cause a denial of
service or execute arbitrary code via a large -w value, which
could be remotely exploited via applications that use ls, such
as wu-ftpd.


2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to fileutils-4.1-6.i386.rpm
OpenLinux 3.1.1 Workstation prior to fileutils-4.1-6.i386.rpm


3. Solution

The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.


http://www.linuxsecurity.com/advisor...sory-4095.html



--------------


libapache-mod-python

The Apache Software Foundation announced that some versions of
mod_python contain a bug which, when processing a request with a
malformed query string, could cause the corresponding Apache child to
crash. This bug could be exploited by a remote attacker to cause a
denial of service.

For the current stable distribution (woody) this problem has been
fixed in version 2:2.7.8-0.0woody2.

For the unstable distribution (sid), this problem has been fixed in
version 2:2.7.10-1.

We recommend that you update your libapache-mod-python package.


http://www.linuxsecurity.com/advisor...sory-4094.html


----------------


xboing


Steve Kemp discovered a number of buffer overflow vulnerabilities in
xboing, a game, which could be exploited by a local attacker to gain
gid "games".

For the current stable distribution (woody) these problems have been
fixed in version 2.4-26woody1.

For the unstable distribution (sid), these problems have been fixed in
version 2.4-26.1.

We recommend that you update your xboing package.


http://www.linuxsecurity.com/advisor...sory-4093.html


---------------


FreeBSD-SA-04:03.jail

The jail(2) system call allows a system administrator to lock up a
process and all its descendants inside a closed environment with very
limited ability to affect the system outside that environment, even
for processes with superuser privileges. It is an extension of, but
far more stringent than, the traditional Unix chroot(2) system call.

The jail_attach(2) system call, which was introduced in FreeBSD 5
before 5.1-RELEASE, allows a non-jailed process to permanently move
into an existing jail.

II. Problem Description

A programming error has been found in the jail_attach(2) system call
which affects the way that system call verifies the privilege
level of the calling process. Instead of failing immediately if the
calling process was already jailed, the jail_attach(2) system call
would fail only after changing the calling process's root directory.

III. Impact

A process with superuser privileges inside a jail could change its
root directory to that of a different jail, and thus gain full read
and write access to files and directories within the target jail.

IV. Workaround

No workaround is available.

V. Solution

Do one of the following:

1) Upgrade your vulnerable system to 5.2.1-RELEASE, or to the
RELENG_5_2 or RELENG_5_1 security branch dated after the correction
date.

OR

2) Patch your present system:


http://www.linuxsecurity.com/advisor...sory-4092.html


------------

kernel-source-2.4.19, kernel-patch-2.4.19-mips

Several local root exploits have been discovered recently in the Linux
kernel. This security advisory updates the mips kernel 2.4.19 for
Debian GNU/Linux. The Common Vulnerabilities and Exposures project
identifies the following problems that are fixed with this update:

CAN-2003-0961:

An integer overflow in brk() system call (do_brk() function) for
Linux allows a local attacker to gain root privileges. Fixed
upstream in Linux 2.4.23.

CAN-2003-0985:

Paul Starzetz discovered a flaw in bounds checking in mremap() in
the Linux kernel (present in version 2.4.x and 2.6.x) which may
allow a local attacker to gain root privileges. Version 2.2 is not
affected by this bug. Fixed upstream in Linux 2.4.24.

CAN-2004-0077:

Paul Starzetz and Wojciech Purczynski of isec.pl discovered a
critical security vulnerability in the memory management code of
Linux inside the mremap(2) system call. Due to missing function
return value check of internal functions a local attacker can gain
root privileges. Fixed upstream in Linux 2.4.25 and 2.6.3.

For the stable distribution (woody) these problems have been fixed in
version 2.4.19-0.020911.1.woody3 of mips images and version
2.4.19-4.woody1 of kernel source.

For the unstable distribution (sid) this problem will be fixed soon
with the next upload of a 2.4.19 kernel image and in version
2.4.22-0.030928.3 for 2.4.22.

We recommend that you upgrade your Linux kernel packages immediately.

http://www.linuxsecurity.com/advisor...sory-4091.html

------------

Updated libxml2 packages fix security vulnerability

Updated libxml2 packages that fix an overflow when parsing remote resources
are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux ES version 3 - i386
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

libxml2 is a library for manipulating XML files.

Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0110
to this issue.

All users are advised to upgrade to these updated packages, which contain a
backported fix and are not vulnerable to this issue.


http://www.linuxsecurity.com/advisor...sory-4090.html

------

Updated mod_python packages fix denial of service vulnerability

Updated mod_python packages that fix a denial of service vulnerability are
now available for Red Hat Enterprise Linux.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux ES version 3 - i386
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

mod_python embeds the Python language interpreter within the Apache httpd
server.

A bug has been found in mod_python versions 2.7.10 and earlier that can
lead to a denial of service vulnerability. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0973 to
this issue.

Although Red Hat Enterprise Linux shipped with a version of mod_python that
contains this bug, our testing was unable to trigger the denial of service
vulnerability. However, mod_python users are advised to upgrade to these
errata packages, which contain a backported patch that corrects this bug.

http://www.linuxsecurity.com/advisor...sory-4089.html

------

Immunix OS 7+

Paul Starzetz and Wojciech Purczynski report finding a flaw in the
mremap(2) system call due to a missing function return value check.
While they found the flaw on the 2.4 series of Linux kernels, the 2.2
series of Linux kernels is also vulnerable to the same problem.

This updated package includes a patch from Solar Designer to address
this flaw, as well as some additional uninitialized memory leaking to
userspace fixes.

Immunix, Inc., would like to remind Immunix OS 7+ users that support
for 7+ will be terminated on March 1, 2004. We will be happy to host
updated packages sent to us by users; contact the immunix-users mail
list for further information. Users may purchase Immunix OS 7.3 at:
http://www.immunix.com/products/immunixos/
Immunix OS 7.3 includes StackGuard, FormatGuard, SubDomain, the 2.4
version of the Linux kernel with better scalability and device
support, and up2date. More information on Immunix OS 7.3 is at:
http://www.immunix.org/immunix73.html


http://www.linuxsecurity.com/advisor...sory-4088.html

-----------

libxml2

This library allows to manipulate XML files. It includes support
to read, modify and write XML and HTML files. There is DTDs support
this includes parsing and validation even with complex DtDs, either
at parse time or later once the document has been modified. The output
can be a simple SAX stream or and in-memory DOM like representations.
In this case one can use the built-in XPath and XPointer implementation
to select subnodes or ranges. A flexible Input/Output mechanism is
available, with existing HTTP and FTP modules and combined to an
URI library.

Update Information:

Updated libxml2 packages are available to fix an overflow when parsing
the URI for remote resources.

http://www.linuxsecurity.com/advisor...sory-4087.html

--------------

kernel

Paul Staretz discovered a flaw in return value checking in the
mremap() function in the Linux kernel, versions 2.4.24 and previous
that could allow a local user to obtain root privileges.

A vulnerability was found in the R128 DRI driver by Alan Cox. This
could allow local privilege escalation.

A flaw in the ncp_lookup() function in the ncpfs code (which is used
to mount NetWare volumes or print to NetWare printers) was found by
Arjen van de Ven that could allow local privilege escalation.

The Vicam USB driver in Linux kernel versions prior to 2.4.25 does
not use the copy_from_user function to access userspace, which crosses
security boundaries. This problem does not affect the Mandrake Linux
9.2 kernel.

Additionally, a ptrace hole that only affects the amd64/x86_64
platform has been corrected.

The provided packages are patched to fix these vulnerabilities. All
users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at:

http://www.mandrakesecure.net/en/kernelupdate.php

Update:

Kernels for Corporate Server 2.1/x86_64 are now available.

http://www.linuxsecurity.com/advisor...sory-4086.html

Regards

eddie

[eddie5659]

OpenLinux: rsync heap based overflow

Heap-based buffer overflow in rsync before 2.5.7, when running in
server mode, allows remote attackers to execute arbitrary code
and possibly escape the chroot jail.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0962 to this issue


The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand

http://www.linuxsecurity.com/advisor...dvisory-4104.h

OpenLinux: screen buffer overflow

Integer signedness error in ansi.c for GNU screen 4.0.1 and
earlier, and 3.9.15 and earlier, could allows local users to
execute arbitrary code via a large number of characters in
escape sequences, which leads to a buffer overflow.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0972 to this issue.


2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to screen-3.9.10-2.i386.rpm
OpenLinux 3.1.1 Workstation prior to screen-3.9.10-2.i386.rpm

Solution

The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.


http://www.linuxsecurity.com/advisor...sory-4105.html


OpenLinux: cups denial of service vulnerability

Problem Description

Unknown vulnerability in the Internet Printing Protocol (IPP)
implementation in CUPS before 1.1.19 allows remote attackers to
cause a denial of service via certain inputs to the IPP port.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0788 to this issue.


2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to cups-1.1.20-1.i386.rpm
prior to cups-devel-1.1.20-1.i386.rpm
prior to cups-libs-1.1.20-1.i386.rpm

OpenLinux 3.1.1 Workstation prior to cups-1.1.20-1.i386.rpm
prior to cups-devel-1.1.20-1.i386.rpm
prior to cups-libs-1.1.20-1.i386.rpm


3. Solution

The proper solution is to install the latest packages. This patch
obsoletes two cups rpm packages namely cups-client and cups-ppd.
These packages need to be removed from the system.

To remove cups-client and cups-ppd from your system, as the root
user issue the following commands:

#rpm -e cups-client
#rpm -e cups-ppd

Note: Warning messages about directories not removed is expected.

After the two obsoleted packages are removed, you can install the
updated packages manually or use the Caldera System Updater,
called cupdate (or kcupdate under the KDE environment).

Problem Description

Unknown vulnerability in the Internet Printing Protocol (IPP)
implementation in CUPS before 1.1.19 allows remote attackers to
cause a denial of service via certain inputs to the IPP port.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0788 to this issue.


2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to cups-1.1.20-1.i386.rpm
prior to cups-devel-1.1.20-1.i386.rpm
prior to cups-libs-1.1.20-1.i386.rpm

OpenLinux 3.1.1 Workstation prior to cups-1.1.20-1.i386.rpm
prior to cups-devel-1.1.20-1.i386.rpm
prior to cups-libs-1.1.20-1.i386.rpm


3. Solution

The proper solution is to install the latest packages. This patch
obsoletes two cups rpm packages namely cups-client and cups-ppd.
These packages need to be removed from the system.

To remove cups-client and cups-ppd from your system, as the root
user issue the following commands:

#rpm -e cups-client
#rpm -e cups-ppd

Note: Warning messages about directories not removed is expected.

After the two obsoleted packages are removed, you can install the
updated packages manually or use the Caldera System Updater,
called cupdate (or kcupdate under the KDE environment).

http://www.linuxsecurity.com/advisor...sory-4106.html

libxml, libxml2

libxml2 is a library for manipulating XML files.

Yuuichi Teranishi discovered a flaw in libxml, the GNOME XML library.
When fetching a remote resource via FTP or HTTP, the library uses
special parsing routines which can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml1
or libxml2 that parses remote resources and allows the attacker to
craft the URL, then this flaw could be used to execute arbitrary code.

For the stable distribution (woody) this problem has been fixed in
version 1.8.17-2woody1 of libxml and version 2.4.19-4woody1 of libxml2.

For the unstable distribution (sid) this problem has been fixed in
version 1.8.17-5 of libxml and version 2.6.6-1 of libxml2.

We recommend that you upgrade your libxml1 and libxml2 packages.


http://www.linuxsecurity.com/advisor...sory-4107.html

Fedora

Tcpdump is a command-line tool for monitoring network traffic.
Tcpdump can capture and display the packet headers on a particular
network interface or on all interfaces. Tcpdump can display all of
the packet headers, or just the ones that match particular criteria.

Install tcpdump if you need a program to monitor network traffic.


Updated tcpdump, libpcap, and arpwatch packages fix vulnerabilities in
ISAKMP and RADIUS parsing.

Tcpdump is a command-line tool for monitoring network traffic.

George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.

Jonathan Heusser discovered an additional flaw in the ISAKMP decoding
routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to
this issue.

Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue.

Remote attackers could potentially exploit these issues by sending
carefully-crafted packets to a victim. If the victim uses tcpdump, these
pakets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user.

Users of tcpdump are advised to upgrade to these erratum packages, which
contain backported security patches and are not vulnerable to these issues.

http://www.linuxsecurity.com/advisor...sory-4108.html

Mandrakelinux

The NISCC uncovered bugs in pwlib prior to version 1.6.0 via a test
suite for the H.225 protocol. An attacker could trigger these bugs
by sending carefully crafted messages to an application that uses
pwlib, and the severity would vary based on the application, but
likely would result in a Denial of Service (DoS).

The updated packages provide backported fixes from Craig Southeren
of the OpenH323 project to protect against this issue.


http://www.linuxsecurity.com/advisor...sory-4109.html

Mandrakelinux

A flaw in libxml2 versions prior to 2.6.6 was found by Yuuichi
Teranishi. When fetching a remote source via FTP or HTTP, libxml2
uses special parsing routines that can overflow a buffer if passed a
very long URL. In the event that the attacker can find a program that
uses libxml2 which parses remote resources and allows them to
influence the URL, this flaw could be used to execute arbitrary code.

The updated packages provide a backported fix to correct the problem.


http://www.linuxsecurity.com/advisor...sory-4110.html

mailman

Mailman is software to help manage email discussion lists, much like
Majordomo and Smartmail. Unlike most similar products, Mailman gives
each mailing list a webpage, and allows users to subscribe,
unsubscribe, etc. over the Web. Even the list manager can administer
his or her list entirely from the Web. Mailman also integrates most
things people want to do with mailing lists, including archiving, mail
<-> news gateways, and so on.

Documentation can be found in: /usr/share/doc/mailman-2.1.4

When the package has finished installing, you will need to perform some
additional installation steps, these are described in:
/usr/share/doc/mailman-2.1.4/INSTALL.REDHAT


http://www.linuxsecurity.com/advisor...sory-4111.html

Updated util-linux resolves security vulnerability

Updated util-linux packages that fix an information leak in the login
program are now available.

2. Relevent releases/architectures:

Red Hat Linux 7.2 - i386

3. Problem description:
The util-linux package contains a large variety of low-level system
utilities that are necessary for a Linux system to function.

In some situations, the login program could use a pointer that had been
freed and reallocated. This could cause unintentional data leakage.

Note: Red Hat Linux releases newer than 7.2 are not vulnerable to this
issue.

It is recommended that all users upgrade to these updated packages, which
are not vulnerable to this issue.

Fedora Legacy would like to thank Matthew Lee of Fleming College for
finding and reporting this issue, and Jesse Keating for providing a
backported patch for Red Hat Linux 7.2.

http://www.linuxsecurity.com/advisor...sory-4112.html

kernel-source-2.2.19, kernel-patch-2.2.19-arm, kernel-image-2.2.19-netwinder, kernel-image-2.2.19-riscpc


Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical
security vulnerability in the memory management code of Linux inside
the mremap(2) system call. Due to flushing the TLB (Translation
Lookaside Buffer, an address cache) too early it is possible for an
attacker to trigger a local root exploit.

The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the
respective kernel series, though. We formerly believed that the
exploitable vulnerability in 2.4.x does not exist in 2.2.x which is
still true. However, it turned out that a second (sort of)
vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a
different exploit, of course.

For the stable distribution (woody) this problem has been fixed in
version 20040303 of 2.2 kernel images for the arm architecture.

For the unstable distribution (sid) this problem will be fixed soon
for the architectures that still ship a 2.2.x kernel package.

We recommend that you upgrade your Linux kernel package.


http://www.linuxsecurity.com/advisor...sory-4113.html

Gentoo Linux

A buffer overflow has been discovered in libxml2 versions prior to
2.6.6 which may be exploited by an attacker allowing the execution of
arbitrary code.

Description
===========

Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When the libxml2 library fetches a remote resource via FTP or HTTP,
libxml2 uses parsing routines that can overflow a buffer caused by
improper bounds checking if they are passed a URL longer than 4096
bytes.

Impact
======

If an attacker is able to exploit an application using libxml2 that
parses remote resources, then this flaw could be used to execute
arbitrary code.

Workaround
==========

No workaround is available; users are urged to upgrade libxml2 to
2.6.6.

http://www.linuxsecurity.com/advisor...sory-4114.html

Gentoo Linux

Synopsis
========

A critical security vulnerability has been found in recent Linux
kernels by Paul Starzetz of iSEC Security Research which allows for
local privilege escalations.

Background
==========

The Linux kernel is responsible for memory management in a working
system - to allow this, processes are allowed to allocate and
unallocate memory.

Affected packages
=================

~ -------------------------------------------------------------------
~ Kernel / Unaffected Version / Manual Update?
~ -------------------------------------------------------------------

~ aa-sources................2.4.23-r1...................YES..........
~ alpha-sources.............2.4.21-r4................................
~ ck-sources................2.4.24-r1...................YES..........
~ ck-sources................2.6.2-r1....................YES..........
~ compaq-sources............2.4.9.32.7-r2............................
~ development-sources.......2.6.3_rc1................................
~ gaming-sources............2.4.20-r8................................
~ gentoo-dev-sources........2.6.3_rc1................................
~ gentoo-sources............2.4.19-r11...............................
~ gentoo-sources............2.4.20-r12...............................
~ gentoo-sources............2.4.22-r7................................
~ grsec-sources.............2.4.24.1.9.13-r1.........................
~ gs-sources................2.4.25_pre7-r2...........................
~ hardened-sources..........2.4.24-r1................................
~ hppa-dev-sources..........2.6.2_p3-r1..............................
~ hppa-sources..............2.4.24_p0-r1.............................
~ ia64-sources..............2.4.24-r1................................
~ mips-prepatch-sources.....2.4.25_pre6-r1...........................
~ mips-sources..............2.4.25_rc4...............................
~ mm-sources................2.6.3_rc1-r1.............................
~ openmosix-sources.........2.4.22-r4................................
~ pac-sources...............2.4.23-r3................................
~ planet-ccrma-sources......2.4.21-r5................................
~ ppc-development-sources...2.6.3_rc1-r1.............................
~ ppc-sources...............2.4.24-r1................................
~ ppc-sources-benh..........2.4.22-r5................................
~ ppc-sources-crypto........2.4.20-r3................................
~ ppc-sources-dev...........2.4.24-r2................................
~ selinux-sources...........2.4.24-r2................................
~ sparc-dev-sources.........2.6.3_rc1................................
~ sparc-sources.............2.4.24-r2................................
~ usermode-sources..........2.4.24-r1................................
~ usermode-sources..........2.6.3-r1.................................
~ vanilla-prepatch-sources..2.4.25_rc4...............................
~ vanilla-sources...........2.4.25...................................
~ win4lin-sources...........2.4.23-r2................................
~ win4lin-sources...........2.6.2-r1.................................
~ wolk-sources..............4.9-r4...................................
~ wolk-sources..............4.10_pre7-r3.............................
~ xfs-sources...............2.4.24-r2................................

~ IMPORTANT: IF YOUR KERNEL IS MARKED AS "YES" ABOVE, THEN YOU SHOULD
~ UPDATE YOUR KERNEL EVEN IF PORTAGE REPORTS THAT THE SAME
~ VERSION IS INSTALLED.


http://www.linuxsecurity.com/advisor...sory-4115.html

Regards

eddie

[eddie5659]

OpenBSD

OpenBSD's TCP/IP stack did not impose limits on how many out-of-order
TCP segments are queued in the system.

If an attacker was allowed to connect to an open TCP port, he could send
out-of-order TCP segments and trick the system into using all available
memory buffers. Packet handling would be impaired, and new connections
would fail until the the attacking TCP connection is closed.

The problem is fixed in -current, 3.4-stable and 3.3-stable.

Patches are available at:

ftp://ftp.openbsd.org/pub/OpenBSD/pa.../013_tcp.patch
ftp://ftp.openbsd.org/pub/OpenBSD/pa.../018_tcp.patch


http://www.linuxsecurity.com/advisor...sory-4119.html

wu-ftpd

Two vulnerabilities were discovered in wu-ftpd:

CAN-2004-0148 - Glenn Stewart discovered that users could bypass the
directory access restrictions imposed by the restricted-gid option by
changing the permissions on their home directory. On a subsequent
login, when access to the user's home directory was denied, wu-ftpd
would fall back to the root directory.

CAN-2004-0185 - A buffer overflow existed in wu-ftpd's code which
deals with S/key authentication.

For the stable distribution (woody) these problems have been fixed in
version 2.6.2-3woody4.

For the unstable distribution (sid) these problems have been fixed in
version 2.6.2-17.1.

We recommend that you update your wu-ftpd package.


http://www.linuxsecurity.com/advisor...sory-4120.html

python2.2

Sebastian Schmidt discovered a buffer overflow bug in Python's
getaddrinfo function, which could allow an IPv6 address, supplied by a
remote attacker via DNS, to overwrite memory on the stack.

This bug only exists in python 2.2 and 2.2.1, and only when IPv6
support is disabled. The python2.2 package in Debian woody meets
these conditions (the 'python' package does not).

For the stable distribution (woody), this bug has been fixed in
version 2.2.1-4.3.

The unstable distribution (sid) is not affected by this bug.

We recommend that you update your python2.2 package

http://www.linuxsecurity.com/advisor...sory-4121.html

python

A buffer overflow in python 2.2's getaddrinfo() function was
discovered by Sebastian Schmidt. If python 2.2 is built without
IPv6 support, an attacker could configure their name server to let a
hostname resolve to a special IPv6 address, which could contain a
memory address where shellcode is placed. This problem does not
affect python versions prior to 2.2 or versions 2.2.2+, and it also
doesn't exist if IPv6 support is enabled.

The updated packages have been patched to correct the problem. Thanks
to Sebastian for both the discovery and patch.


http://www.linuxsecurity.com/advisor...sory-4122.html

gdk-pixbuf

A vulnerability in gdk-pixbuf versions before 0.20 exists that could
allow a malicious BMP file to crash the Evolution mail client. The
updated packages have been patched to use gdk-pixbuf 0.22.0's BMP-
handling code.


http://www.linuxsecurity.com/advisor...sory-4123.html

mozilla

A number of vulnerabilities were discovered in Mozilla 1.4:

A malicious website could gain access to a user's authentication
credentials to a proxy server.

Script.prototype.freeze/thaw could allow an attacker to run
arbitrary code on your computer.

A vulnerability was also discovered in the NSS security suite which
ships with Mozilla. The S/MIME implementation would allow remote
attackers to cause a Denial of Service and possibly execute arbitrary
code via an S/MIME email message containing certain unexpected ASN.1
constructs, which was demonstrated using the NISCC test suite. NSS
version 3.9 corrects these problems and has been included in this
package (which shipped with NSS 3.8).

Finally, Corsaire discovered that a number of HTTP user agents
contained a flaw in how they handle cookies. This flaw could
allow an attacker to avoid the path restrictions specified by a
cookie's originator. According to their advisory:

"The cookie specifications detail a path argument that can be used to
restrict the areas of a host that will be exposed to a cookie. By
using standard traversal techniques this functionality can be
subverted, potentially exposing the cookie to scrutiny and use in
further attacks."

As well, a bug with Mozilla and Finnish keyboards has been corrected.

The updated packages are patched to correct these vulnerabilities.


http://www.linuxsecurity.com/advisor...sory-4124.html

kdelibs

Corsaire discovered that a number of HTTP user agents contained a flaw
in how they handle cookies. This flaw could allow an attacker to
avoid the path restrictions specified by a cookie's originator.
According to their advisory:

"The cookie specifications detail a path argument that can be used to
restrict the areas of a host that will be exposed to a cookie. By
using standard traversal techniques this functionality can be
subverted, potentially exposing the cookie to scrutiny and use in
further attacks."

This issue was fixed in KDE 3.1.3; the updated packages are patched to
protect against this vulnerability.


http://www.linuxsecurity.com/advisor...sory-4125.html

Updated kdelibs packages resolve cookie security issue

Konqueror is a file manager and Web browser for the K Desktop Environment
(KDE).

Flaws have been found in the cookie path handling between a number of Web
browsers and servers. The HTTP cookie standard allows a Web server
supplying a cookie to a client to specify a subset of URLs on the origin
server to which the cookie applies. Web servers such as Apache do not
filter returned cookies and assume that the client will only send back
cookies for requests that fall within the server-supplied subset of URLs.
However, by supplying URLs that use path traversal (/../) and character
encoding, it is possible to fool many browsers into sending a cookie to a
path outside of the originally-specified subset.

KDE version 3.1.3 and later include a patch to Konquerer that disables the
sending of cookies to the server if the URL contains such encoded
traversals. Red Hat Linux 9 shipped with KDE 3.1 and is therefore
vulnerable to this issue.

Users of Konquerer are advised to upgrade to these erratum packages, which
contain a backported patch for this issue.


http://www.linuxsecurity.com/advisor...sory-4126.html

Updated sysstat packages fix security vulnerabilities

Sysstat is a tool for gathering system statistics.

A bug was found in the Red Hat sysstat package post and trigger scripts,
which used insecure temporary file names. A local attacker could overwrite
system files using carefully-crafted symbolic links in the /tmp directory.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0107 to this issue.

Other issues addressed in this advisory include:

* iostat -x should return all partitions on the system (up to a maximum of
1024)

* sar should handle network device names with more than 8 characters properly

Users of sysstat should upgrade to these updated packages, which
contain patches to correct these issues.

http://www.linuxsecurity.com/advisor...sory-4127.html

Updated gdk-pixbuf packages fix denial of service vulnerability

The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment. In Red Hat Linux 9 this library is used by
applications, such as Evolution, to load images.

Thomas Kristensen discovered a bitmap file that would cause the Evolution
mail reader to crash. This issue was caused by a flaw that affects
versions of the gdk-pixbuf package prior to 0.20. To exploit this flaw, a
remote attacker could send (via email) a carefully-crafted BMP file, which
would cause Evolution to crash. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0111
to this issue.

Users are advised to upgrade to these updated packages containing
gdk-pixbuf version 0.22, which is not vulnerable to this issue.


http://www.linuxsecurity.com/advisor...sory-4128.html

sysstat

Alan Cox discovered that the isag utility (which graphically displays
data collected by the sysstat tools), creates a temporary file without
taking proper precautions. This vulnerability could allow a local
attacker to overwrite files with the privileges of the user invoking
isag.

For the current stable distribution (woody) this problem has been
fixed in version 5.0.1-1.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you update your sysstat package.


http://www.linuxsecurity.com/advisor...sory-4129.html

coreutils

An updated coreutils package is available fixing an issue in the ls(1)
utility, described at:

http://cve.mitre.org/cgi-bin/cvename...=CAN-2003-0853

Note that this vulnerability affects Internet-facing services which execute
ls(1) with user-supplied input, and although wu-ftpd is one such service it
is not supplied with Fedora Core 1.

http://www.linuxsecurity.com/advisor...sory-4130.html

Regards

eddie

[eddie5659]

Courier Japanese codeset converter buffer overflow

Description:

Courier is a freely available mail transport agent (MTA) for most Linux and Unix-based operating systems. Courier-IMAP is an IMAP server that is included with the Courier Mail Server and can also be used as a standalone IMAP server for other mail servers. Courier versions prior to 0.45 and Courier-IMAP versions prior to 3.0.0 are vulnerable to a buffer overflow in the shiftjis.c and iso2022jp.c converters, which are a part of the Courier Japanese codeset, caused by improper bounds checking of emails containing non-BMP (Basic Multilingual Plane) Unicode characters. A remote attacker could use this vulnerability to overflow a buffer and cause a denial of service.

Note: SqWebMail versions prior to 4.0.0 are also affected by this vulnerability.

Platforms Affected:

Double Precision, Inc. Courier prior to 0.45
inter7 SqWebMail prior to 4.0.0
kernel.org Linux Any version
Sam Varshavchik Courier-IMAP prior to 3.0.0
Various Unix Any version


For Courier:
Upgrade to the latest version of Courier (0.45.1 or later), available from the Courier Mail Server Web page.

For Courier-IMAP:
Upgrade to the latest version of Courier-IMAP (3.0.1 or later), available from the Courier Mail Server Web page

For SqWebMail:
Upgrade to the latest version of SqWebMail (4.0.1 or later), available from the Courier Mail Server Web page

http://xforce.iss.net/xforce/xfdb/15434

Regards

eddie

[eddie5659]

cPanel resetpass section allows execution of commands

Description:

cPanel is a Web-based management interface for Linux-based operating systems. cPanel versions 9.1.0 build 34 and earlier could allow a local attacker to execute arbitrary commands on the system, caused by a vulnerability in the "Allow cPanel users to reset their password via email" feature in the WebHostManager. A remote attacker could supply shell meta characters to the user parameter in the resetpass section, allowing the attacker to execute arbitrary commands on the system with root privileges.

Platforms Affected:

cPanel Inc. cPanel 9.1.0build34andprior
kernel.org Linux Any version
Remedy:

No remedy available as of March 2004.

As a workaround, users of the STABLE and RELEASE branches should disable the "Allow cPanel users to reset their password via email" feature in the WebHostManager.


http://xforce.iss.net/xforce/xfdb/15443

Regards

eddie

[eddie5659]

Open WebMail userstat.pl allows execution of commands

Description:

Open WebMail is an open-source Web mail program written in Perl for Unix-based operating systems. Open WebMail versions 2.30 and earlier could allow a remote attacker to execute arbitrary commands on the system. A remote attacker could supply shell meta characters in parameters to the userstat.pl component, allowing the attacker to execute arbitrary commands on the system.

Platforms Affected:

kernel.org Linux Any version
Open WebMail Project Open WebMail 2.30 and earlier
Remedy:

Upgrade to the latest current version of Open WebMail (dated 30-Jan-2004 20:53 or later), available from the Open WebMail Web site


http://xforce.iss.net/xforce/xfdb/15444

Regards

eddie

[eddie5659]

Updated OpenSSL packages fix vulnerabilities

Updated OpenSSL packages that fix several remote denial of service
vulnerabilities are now available.

2. Relevant releases/architectures:

Red Hat Linux 9 - i386, i686

3. Problem description:

OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool
uncovered a null-pointer assignment in the do_change_cipher_spec() function
in OpenSSL 0.9.6c-0.9.6l and 0.9.7a-0.9.7c. A remote attacker could
perform a carefully-crafted SSL/TLS handshake against a server that used
the OpenSSL library in such a way as to cause OpenSSL to crash. Depending
on the application this could lead to a denial of service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0079 to this issue.

Stephen Henson discovered a flaw in the SSL/TLS handshaking code when using
Kerberos ciphersuites in OpenSSL 0.9.7a-0.9.7c. A remote attacker could
perform a carefully-crafted SSL/TLS handshake against a server configured
to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash.
Most applications have no ability to use Kerberos ciphersuites and are
therefore unaffected by this issue. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0112 to
this issue.

Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool
uncovered a bug in older versions of OpenSSL 0.9.6 prior to 0.9.6d that can
lead to a denial of service attack (infinite loop). The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0081 to this issue. This issue affects only the OpenSSL
compatibility packages shipped with Red Hat Linux 9.

These updated packages contain patches provided by the OpenSSL group that
protect against these issues.

NOTE: Because server applications are affected by this issue, users are
advised to either restart all services using OpenSSL functionality or
restart their system after installing these updated packages.

http://www.linuxsecurity.com/advisor...sory-4142.html

Denial-of-service vulnerability in OpenSSL

FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust, commercial-
grade, full-featured, and Open Source toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography
library.

II. Problem Description

When processing an SSL/TLS ChangeCipherSpec message, OpenSSL may fail to
check that a new cipher has been previously negotiated. This may result
in a null pointer dereference.

III. Impact

A remote attacker could perform a specially crafted SSL/TLS handshake
with an application that utilizes OpenSSL, triggering the null pointer
dereference and causing the application to crash. Depending upon the
specifics of the application, this may result in an effective
denial-of-service.

IV. Workaround

No workaround is known.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_2,
RELENG_4_9, or RELENG_4_8 security branch dated after the correction
date.

2) To patch your present system:

http://www.linuxsecurity.com/advisor...sory-4144.html

openssl

A vulnerability was discovered by the OpenSSL group using the
Codenomicon TLS Test Tool. The test uncovered a null-pointer
assignment in the do_change_cipher_spec() function whih could be
abused by a remote attacker crafting a special SSL/TLS handshake
against a server that used the OpenSSL library in such a way as to
cause OpenSSL to crash. Depending on the application in question,
this could lead to a Denial of Service (DoS). This vulnerability
affects both OpenSSL 0.9.6 (0.9.6c-0.9.6k) and 0.9.7 (0.9.7a-0.9.7c).
CVE has assigned CAN-2004-0079 to this issue.

Another vulnerability was discovered by Stephen Henson in OpenSSL
versions 0.9.7a-0.9.7c; there is a flaw in the SSL/TLS handshaking
code when using Kerberos ciphersuites. A remote attacker could
perform a carefully crafted SSL/TLS handshake against a server
configured to use Kerberos ciphersuites in such a way as to cause
OpenSSL to crash. CVE has assigned CAN-2004-0112 to this issue.

Mandrakesoft urges users to upgrade to the packages provided that have
been patched to protect against these problems. We would also like to
thank NISCC for their assistance in coordinating the disclosure of
these problems.

Please note that you will need to restart any SSL-enabled services for
the patch to be effective, including (but not limited to) Apache,
OpenLDAP, etc.

http://www.linuxsecurity.com/advisor...sory-4146.html

kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus


Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical
security vulnerability in the memory management code of Linux inside
the mremap(2) system call. Due to flushing the TLB (Translation
Lookaside Buffer, an address cache) too early it is possible for an
attacker to trigger a local root exploit.

The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the
respective kernel series, though. We formerly believed that the
exploitable vulnerability in 2.4.x does not exist in 2.2.x which is
still true. However, it turned out that a second (sort of)
vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a
different exploit, of course.

For the stable distribution (woody) this problem has been fixed in
version 2.2.10-13woody1 of 2.2 kernel images for the powerpc/apus
architecture and in version 2.2.10-2 of Linux 2.2.10 source.

For the unstable distribution (sid) this problem will be fixed soon
with the 2.4.20 kernel-image package for powerpc/apus. The old 2.2.10
kernel image will be removed from Debian unstable.

You are strongly advised to switch to the fixed 2.4.17 kernel-image
package for powerpc/apus from woody until the 2.4.20 kernel-image
package is fixed in the unstable distribution.

We recommend that you upgrade your Linux kernel package.

http://www.linuxsecurity.com/advisor...sory-4147.html

Updated Mozilla packages fix security issues

2. Relevant releases/architectures:

Red Hat Linux 9 - i386

3. Problem description:

Mozilla is a Web browser and mail reader, designed for standards
compliance, performance and portability. Network Security Services (NSS)
is a set of libraries designed to support cross-platform development of
security-enabled server applications.

NISCC testing of implementations of the S/MIME protocol uncovered a number
of bugs in NSS versions prior to 3.9. The parsing of unexpected ASN.1
constructs within S/MIME data could cause Mozilla to crash or consume large
amounts of memory. A remote attacker could potentially trigger these bugs
by sending a carefully-crafted S/MIME message to a victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0564 to this issue.

Andreas Sandblad discovered a cross-site scripting issue that affects
various versions of Mozilla. When linking to a new page it is still
possible to interact with the old page before the new page has been
successfully loaded. Any Javascript events will be invoked in the context
of the new page, making cross-site scripting possible if the different
pages belong to different domains. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0191 to
this issue.

Flaws have been found in the cookie path handling between a number of Web
browsers and servers. The HTTP cookie standard allows a Web server
supplying a cookie to a client to specify a subset of URLs on the origin
server to which the cookie applies. Web servers such as Apache do not
filter returned cookies and assume that the client will only send back
cookies for requests that fall within the server-supplied subset of URLs.
However, by supplying URLs that use path traversal (/../) and character
encoding, it is possible to fool many browsers into sending a cookie to a
path outside of the originally-specified subset. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0594 to this issue.

Users of Mozilla are advised to upgrade to these updated packages, which
contain Mozilla version 1.4.2 and are not vulnerable to these issues.

http://www.linuxsecurity.com/advisor...sory-4148.html

Gentoo Linux

1. Testing performed by the OpenSSL group using the Codenomicon TLS
Test Tool uncovered a null-pointer assignment in the
do_change_cipher_spec() function. A remote attacker could perform a
carefully crafted SSL/TLS handshake against a server that used the
OpenSSL library in such a way as to cause OpenSSL to crash.
Depending on the application this could lead to a denial of service.
All versions of OpenSSL from 0.9.6c to 0.9.6l inclusive and from
0.9.7a to 0.9.7c inclusive are affected by this issue.

2. A flaw has been discovered in SSL/TLS handshaking code when using
Kerberos ciphersuites. A remote attacker could perform a carefully
crafted SSL/TLS handshake against a server configured to use
Kerberos ciphersuites in such a way as to cause OpenSSL to crash.
Most applications have no ability to use Kerberos cipher suites and
will therefore be unaffected. Versions 0.9.7a, 0.9.7b, and 0.9.7c of
OpenSSL are affected by this issue.

3. Testing performed by the OpenSSL group using the Codenomicon TLS
Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 that
can lead to a Denial of Service attack (infinite loop). This issue
was traced to a fix that was added to OpenSSL 0.9.6d some time ago.
This issue will affect vendors that ship older versions of OpenSSL
with backported security patches.

http://www.linuxsecurity.com/advisor...sory-4149.html

[slackware-security] OpenSSL security update

Upgraded OpenSSL packages are available for Slackware 8.1, 9.0,
9.1, and -current. These fix two potential denial-of-service
issues in earlier versions of OpenSSL.

We recommend sites that use OpenSSL upgrade to the fixed packages
right away.


http://www.linuxsecurity.com/advisor...sory-4150.html

sysstat

Package description:
SAR and IOSTAT for Linux

Problem description:
The isag script shipped with sysstat was creating temporary files in the
/tmp directory in an insecure way. As TSL does not include the
prerequisites for runnining the script, we have removed it from the
distribution.


Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system

http://www.linuxsecurity.com/advisor...sory-4151.html

openssl

Problem description:
Several holes were discovered that could lead to denial of service (DoS)
attacks on SSL-enabled services.
See CAN-2004-0079, CAN-2004-0081, and CAN-2004-0112 on
http://cve.mitre.org> for a more thorough description of these
problems.


Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.

http://www.linuxsecurity.com/advisor...sory-4152.html

Updated httpd packages fix mod_ssl security issue

Updated httpd packages are now available that fix a denial of service
vulnerability in mod_ssl and include various other bug fixes.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64
Red Hat Enterprise Linux ES version 3 - i386
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

The Apache HTTP server is a powerful, full-featured, efficient, and
freely-available Web server.

A memory leak in mod_ssl in the Apache HTTP Server prior to version 2.0.49
allows a remote denial of service attack against an SSL-enabled server. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the name CAN-2004-0113 to this issue.

This update also includes various bug fixes, including:

- - improvements to the mod_expires, mod_dav, mod_ssl and mod_proxy modules

- - a fix for a bug causing core dumps during configuration parsing on the
IA64 platform

- - an updated version of mod_include fixing several edge cases in the SSI parser

Additionally, the mod_logio module is now included.

Users of the Apache HTTP server should upgrade to these updated packages,
which contain backported patches that address these issues.


http://www.linuxsecurity.com/advisor...sory-4153.html

openssl

This update includes OpenSSL packages to fix two security issues
affecting OpenSSL 0.9.7a which allow denial of service attacks; CVE
CAN-2004-0079 and CVE CAN-2003-0851.

Also included are updates for the OpenSSL 0.9.6 and 0.9.6b
compatibility libraries included in Fedora Core 1, fixing a separate
issue which could also lead to a denial of service attack; CVE
CAN-2004-0081.

http://www.linuxsecurity.com/advisor...sory-4154.html

Regards

eddie

[eddie5659]

MPlayer header buffer overflow

Description:

MPlayer is a movie player for Unix and Linux-based operating systems. MPlayer versions prior to 3/30/2004 are vulnerable to a buffer overflow. A remote attacker could send a specially-crafted HTTP header to overflow a buffer and execute arbitrary code on the system when the header is parsed.

Platforms Affected:

kernel.org: Linux Any version
Mplayer: MPlayer 0.90
Mplayer: MPlayer 0.90pre
Mplayer: MPlayer 0.90rc
Mplayer: MPlayer 0.91
Mplayer: MPlayer 1.0pre1
Mplayer: MPlayer 1.0pre2
Mplayer: MPlayer 1.0pre3
Various: Unix Any version
Remedy:

Apply the appropriate patch for your system, available from the MPlayer Web site


http://xforce.iss.net/xforce/xfdb/15675

GNOME LD_LIBRARY_PATH allows local privilege escalation

Description:

GNOME version 2.x could allow local users to gain elevated privileges on the system, caused by a vulnerability in the LD_LIBRARY_PATH variable when /usr/X11R6/bin/gnome is initializing.

Platforms Affected:

GNOME Project: GNOME 2.x
kernel.org: Linux Any version
Various: Unix Any version
Remedy:

No remedy available as of March 2004.

Consequences:

Gain Privileges

http://xforce.iss.net/xforce/xfdb/15664

Regards

eddie