Solarspeed.net has released an unofficial Bind 8.3.3 package for the Sun Cobalt RaQ 3/4 server appliances
MandrakeSoft has release a BIND update for Mandrake Linux 7.2 and Single Network Firewall 7.2
Linux Today reports that a Trojan has been found in libpcap and tcpdump
SuSE has released a bind8 update for SuSE Linux
A new Apache-Perl package for Debian GNU/Linux has been released
ExtrmeTech has posted a news story on two BIND security vulnerabilities
SuSE has released the follow secuity updates:
traceroute-nanog/nkitb
kdenetwork: remote command execution
perl-MailTools: remote command execution
traceroute-nanog/nkitb
kdenetwork: remote command execution
perl-MailTools: remote command execution
A updated masqmail package is now available for Debian GNU/Linux
A new kdenetwork security update for Debian GNU/Linux has been released
Red Hat has released new PHP packages for Red Hat Linux 7.x
Sun has released an IMAP Update for the Sun Cobalt RaQ4 server appliance
A new html2ps security update for Debian GNU/Linux is available
Two new security patches are available for Debian GNU/Linux:
Squirrelmail
Several cross site scripting vulnerabilities have been found in squirrelmail, a feature-rich webmail package written in PHP4. These problems have been fixed in version 1.2.6-1.1 the current stable distribution (woody) and in version 1.2.8-1.1 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a squirrelmail package.
Read more
Window Maker
Al Viro found a problem in the image handling code use in Window Maker, a popular NEXTSTEP like window manager. When creating an image it would allocate a buffer by multiplying the image width and height, but did not check for an overflow. This makes it possible to overflow the buffer. This could be exploited by using specially crafted image files (for example when previewing themes).
This problem has been fixed in version 0.80.0-4.1 for the current stable distribution (woody). Packages for the mipsel architecture are not yet available.
Read more
Squirrelmail
Several cross site scripting vulnerabilities have been found in squirrelmail, a feature-rich webmail package written in PHP4. These problems have been fixed in version 1.2.6-1.1 the current stable distribution (woody) and in version 1.2.8-1.1 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it doesn't contain a squirrelmail package.
Read more
Window Maker
Al Viro found a problem in the image handling code use in Window Maker, a popular NEXTSTEP like window manager. When creating an image it would allocate a buffer by multiplying the image width and height, but did not check for an overflow. This makes it possible to overflow the buffer. This could be exploited by using specially crafted image files (for example when previewing themes).
This problem has been fixed in version 0.80.0-4.1 for the current stable distribution (woody). Packages for the mipsel architecture are not yet available.
Read more
Red Hat has released a new Kerberos package for Red Hat Linux
MandrakeSoft has released security updates for nss_ldap and perl-MailTools
nss_ldap
A buffer overflow vulnerability exists in nss_ldap versions prior to 198. When nss_ldap is configured without a value for the "host" keyword, it attempts to configure itself using SRV records stored in DNS. nss_ldap does not check that the data returned by the DNS query will fit into an internal buffer, thus exposing it to an overflow.
A similar issue exists in versions of nss_ldap prior to 199 where nss_ldap does not check that the data returned by the DNS query has not been truncated by the resolver libraries to avoid a buffer overflow. This can make nss_ldap attempt to parse more data than what is actually available, making it vulnerable to a read buffer overflow.
Finally, a format string bug in the logging function of pam_ldap prior to version 144 exist.
All users are recommended to upgrade to these updated packages. Note that the nss_ldap packages for 7.2, 8.0, and Single Network Firewall 7.2 contain the pam_ldap modules.
Read more
perl-MailTools
A vulnerability was discovered in Mail::Mailer perl module by the SuSE security team during an audit. The vulnerability allows remote attackers to execute arbitrary commands in certain circumstances due to the usage of mailx as the default mailer, a program that allows commands to be embedded in the mail body.
This module is used by some auto-response programs and spam filters which make use of Mail::Mailer.
Read more
nss_ldap
A buffer overflow vulnerability exists in nss_ldap versions prior to 198. When nss_ldap is configured without a value for the "host" keyword, it attempts to configure itself using SRV records stored in DNS. nss_ldap does not check that the data returned by the DNS query will fit into an internal buffer, thus exposing it to an overflow.
A similar issue exists in versions of nss_ldap prior to 199 where nss_ldap does not check that the data returned by the DNS query has not been truncated by the resolver libraries to avoid a buffer overflow. This can make nss_ldap attempt to parse more data than what is actually available, making it vulnerable to a read buffer overflow.
Finally, a format string bug in the logging function of pam_ldap prior to version 144 exist.
All users are recommended to upgrade to these updated packages. Note that the nss_ldap packages for 7.2, 8.0, and Single Network Firewall 7.2 contain the pam_ldap modules.
Read more
perl-MailTools
A vulnerability was discovered in Mail::Mailer perl module by the SuSE security team during an audit. The vulnerability allows remote attackers to execute arbitrary commands in certain circumstances due to the usage of mailx as the default mailer, a program that allows commands to be embedded in the mail body.
This module is used by some auto-response programs and spam filters which make use of Mail::Mailer.
Read more
Two new security updates for Debian GNU/Linux are available:
DSA-188-1 apache-ssl -- several
DSA-188-1 apache-ssl -- several
Red Hat has released an updated glibc package for Red Hat 6.2/7.x
NewsForge has posted a Q&A session with Jay Beale on Linux security
Red Hat has released updated PostScript and PDF packages
A new Apache update for Debian GNU/Linux has been released
