- Joined
- Mar 19, 2001
- Messages
- 37,298
Hiya
Wietse Venema reported he found a denial of service vulnerability in
postfix. The SMTP session log that postfix keeps for debugging purposes
could grow to an unreasonable size
postfix
http://www.linuxsecurity.com/advisories/debian_advisory-1745.html
OpenSSH is a freely available, open source implementation of the
Secure Shell protocol. It provides secure encrypted communication
between two untrusted hosts over an insecure network.
The OpenSSH developers released[1] a new version of OpenSSH which
fixes a local vulnerability[2] related to the "UseLogin" option. If
this option is enabled, local users may be able to pass arbitrary
environment variables to the "login" process. By setting LD_PRELOAD
and using a malicious shared library, an attacker might execute
arbitrary code as root.
Please note that Conectiva Linux does not have the "UseLogin" option
enabled by default. Therefore, it's not vulnerable to attacks unless
the system administrator has turned it on.
openssh
http://www.linuxsecurity.com/advisories/other_advisory-1746.html
The OpenSSH team has reported a vulnerability in the OpenSSH server
that allows remote attackers to obtain root privilege if the server
has the UseLogin option enabled. This option is off by default on
OpenLinux, so a default installation is not vulnerable.
We nevertheless recommend to our customers to upgrade to the fixed
package.
Exploits of this vulnerability have apparently been circulated for
some time
Linux - Remote vulnerability in OpenSSH
http://www.linuxsecurity.com/advisories/caldera_advisory-1747.html
The default pam files for the passwd program did not include support
for md5 passwords, thus any password changes or post-install added
users would not have md5 passwords.
passwd
http://www.linuxsecurity.com/advisories/mandrake_advisory-1748.html
The new OpenSSH 3.0.2 fixes a vulnerability in the UseLogin option.
By default, Mandrake Linux does not enable UseLogin, but if the
administrator enables it, local users are able to pass environment
variables to the login process. This update also fixes a security
hole in the KerberosV support that is present in versions 2.9.9 and
3.0.0.
openssh
http://www.linuxsecurity.com/advisories/mandrake_advisory-1749.html
Updated glibc packages are available to fix an overflowable buffer
and for 7.x to fix a couple of non-security related bugs.
Red Hat Linux 6.2 - alpha, i386, i686, sparc, sparcv9
Red Hat Linux 7.0 - alpha, alphaev6, i386, i686
Red Hat Linux 7.1 - alpha, alphaev6, i386, i686, ia64
Red Hat Linux 7.2 - i386, i686
http://www.linuxsecurity.com/advisories/redhat_advisory-1750.html
Regards
eddie
Wietse Venema reported he found a denial of service vulnerability in
postfix. The SMTP session log that postfix keeps for debugging purposes
could grow to an unreasonable size
postfix
http://www.linuxsecurity.com/advisories/debian_advisory-1745.html
OpenSSH is a freely available, open source implementation of the
Secure Shell protocol. It provides secure encrypted communication
between two untrusted hosts over an insecure network.
The OpenSSH developers released[1] a new version of OpenSSH which
fixes a local vulnerability[2] related to the "UseLogin" option. If
this option is enabled, local users may be able to pass arbitrary
environment variables to the "login" process. By setting LD_PRELOAD
and using a malicious shared library, an attacker might execute
arbitrary code as root.
Please note that Conectiva Linux does not have the "UseLogin" option
enabled by default. Therefore, it's not vulnerable to attacks unless
the system administrator has turned it on.
openssh
http://www.linuxsecurity.com/advisories/other_advisory-1746.html
The OpenSSH team has reported a vulnerability in the OpenSSH server
that allows remote attackers to obtain root privilege if the server
has the UseLogin option enabled. This option is off by default on
OpenLinux, so a default installation is not vulnerable.
We nevertheless recommend to our customers to upgrade to the fixed
package.
Exploits of this vulnerability have apparently been circulated for
some time
Linux - Remote vulnerability in OpenSSH
http://www.linuxsecurity.com/advisories/caldera_advisory-1747.html
The default pam files for the passwd program did not include support
for md5 passwords, thus any password changes or post-install added
users would not have md5 passwords.
passwd
http://www.linuxsecurity.com/advisories/mandrake_advisory-1748.html
The new OpenSSH 3.0.2 fixes a vulnerability in the UseLogin option.
By default, Mandrake Linux does not enable UseLogin, but if the
administrator enables it, local users are able to pass environment
variables to the login process. This update also fixes a security
hole in the KerberosV support that is present in versions 2.9.9 and
3.0.0.
openssh
http://www.linuxsecurity.com/advisories/mandrake_advisory-1749.html
Updated glibc packages are available to fix an overflowable buffer
and for 7.x to fix a couple of non-security related bugs.
Red Hat Linux 6.2 - alpha, i386, i686, sparc, sparcv9
Red Hat Linux 7.0 - alpha, alphaev6, i386, i686
Red Hat Linux 7.1 - alpha, alphaev6, i386, i686, ia64
Red Hat Linux 7.2 - i386, i686
http://www.linuxsecurity.com/advisories/redhat_advisory-1750.html
Regards
eddie