Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsOpen Web Application Security Project. The Open Web Application Security Project has announced its existence. OWASP has as its goal helping people develop secure applications for the web. Sub-projects include the development of attack components and an application testing framework. Security ReportsPostfix session log memory exhaustion. Conectiva and RedHat have come out with what appear to be the first postfix updates fixing a denial of service vulnerability in Postfix 20010228 and some earlier verions.Cyrus SASL library vulnerability. A format string bug in the authentication API for mail clients and servers may be remotely exploitable. This week both SuSE and Caldera released updates to cyrus-sasl to address the problem.Buffer overflow in wu-ftpd. There is a nasty file flobbing heap corruption vulnerability in wu-ftpd which impacts many Linux distrubutions. RedHat, SuSE and Caldera have issued updates. This is probably the problem alluded to in the "vague message" about a possible vulnerability in wu-ftpd reported by LWN last week.Format string bug in pmake 2.1.33 and below. Format string and buffer overflow problems in pmake may lead to a local root compromise when pmake is installed suid root. Mandrake Linux kernel security updates. Mandrake has issued new security updates for the 2.2 and 2.4 kernels adding a fix for the syncookies vulnerability. As always with kernel updates, read the instructions carefully... Mandrake distribution specific packaging problem. MandrakeSoft has issued a security update for expect (distribution-specific packaging problem that could lead to a root exploit). SuSE update to susehelp. SuSE has put out an alert for a remote command execution vulnerability in susehelp. Mandrake alerts for telex and mktemp. Mandrake has released an alert for a problem with tetex which can lead to elevated privileges. Mandrake 7.x users need to apply this update to mktemp first. web scripts. The following web scripts were reported to contain vulnerabilities:
UpdatesDirectory indexing and path discovery in Apache. Versions of Apache prior to version 1.3.19 are vulnerable to a custom crafted request that can cause modules to misbehave and return a listing of the directory contents by avoiding the error page. (First LWN report: September 20, 2001). This week's updates: Previous updates:
Session hijacking vulnerability in IMP. Versions of the Horde IMP mail system prior to 2.2.7 have a session hijacking vulnerability that is well worth fixing. (First LWN report: November 15, 2001). This week's updates: Previous updates: Corrupt RPM query vulnerability. RPM 4.0.2-7x, and probably also earlier 4.0.x versions, allow arbitrary command executing on query of corrupt RPM files. (First BugTraq report: October 25, 2001). This week's updates: Denial of service vulnerability in squid-2.4STABLE1. The squid server can be out of service for a few seconds when it reloads after a crash caused by a burst of certain FTP requests. See the September 18th bug report for details.This week's updates: Previous updates: ResourcesQuarterly CERT summary. CERT has put out its quarterly summary of ongoing security problems. The list is dominated by Windows vulnerabilities, but the old SSH problem is in there as well. EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Dennis Tenney |
November 29, 2001
LWN Resources | |||||||||||||||||||||