We encourage dhcp users to upgrade, disable dhcp or, at a minimum, consider
using ingress filtering as described in the CERT advisory.
A sufficient workaround is to filter out untracked local icmp packets using the following command:
Red Hat Security Advisory.
Updated perl-Digest-MD5 packages are available which work around a bug in the utf8 interaction
between perl-Digest-MD5 and Perl.
Gaim arbitary email reading vulnerability. Gaim 0.57 has
a bug which allows a local attacker to gain
full access to other gaim users hotmail accounts. A
fix is available.
The problem has been fixed in the nightly CVS, and will be fixed in version
0.58. "Gaim is an all-in-one IM client that resembles AIM. Gaim lets you
use AIM, ICQ, Yahoo, MSN, IRC, Jabber, Napster, Zephyr, and Gadu-Gadu,
all at once. Gaim is NOT endorsed by or affiliated with AOL,
Yahoo, MSN or Napster."
Quake II 3.2x server cvar leak. A problem in the Quake II server for Linux allows an attacker to reveal the
servers rcon password. Details of the affected source code and
patched binaries are available.
web scripts.
The following web scripts were reported to contain vulnerabilities:
- NOCC 0.9.5, and possibly earlier versions,
have a cross-site scripting vulnerability. The
NOCC team is working on a fix.
"NOCC is a webmail client written in PHP. It provides webmail access to IMAP and POP3 accounts."
Updates
GNU fileutils race condition. A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
This week's updates:
Previous updates:
Multiple vulnerabilities in icecast. Icecast is a streaming audio broadcasting system.
Version 1.3.12 was released on April 10th.
"This release is a security update and
all users are highly encouraged to upgrade immediately or apply the
relevant patches to their own versions. Remember, never run icecast as a
privileged user, especially not as root."
(First LWN
report: May 2).
This week's updates:
Previous updates:
Multiple vulnerabilities in tcpdump. Version 3.5.2 fixed a
buffer overflow vulnerability in all prior versions. However,
newer versions, including 3.6.2, are vulnerable to another
buffer overflow in the AFS RPC functions that was reported by
Nick Cleaton.
(First LWN
report: May 9).
Both problems appear to have been reported and fixed in FreeBSD some months
ago. The CIAC
report on the vulnerability in versions prior to 3.5.2 is dated October
31, 2000. Nick Cleaton's FreeBSD
security advisory on the AFS RPC bug, and reference to a fix for
FreeBSD, is dated July, 17, 2001. Tcpdump 3.7 was released on January 21,
2002.
This week's updates:
Previous updates:
Resources
Linux security week. The
and
publications from LinuxSecurity.com are available.
Fenris 0.02
has been released by Michal Zalewski.
"Fenris is a multipurpose tracer, stateful analyzer and partial
decompiler intended to simplify bug tracking, security audits, code,
algorithm, protocol analysis and computer forensics."
Michal has also written these
hints for those using Fenris for
The Reverse
Challenge contest from the
folks at Honeynet.
His "quick write-up is
not intended to spoil the fun, so it is safe to have a look."
Events
Date | Event | Location |
May 16 - 17, 2002 | 14th Annual Canadian Information Technology Security Symposium(CITSS) | (Ottawa Congress Centre)Ottawa, Ontario, Canada |
May 27 - 31, 2002 | 3rd International SANE Conference(SANE 2002) | Maastricht, The Netherlands |
May 29 - 30, 2002 | RSA Conference 2002 Japan | (Akasaka Prince Hotel)Tokyo, Japan |
May 31 - June 1, 2002 | SummerCon 2002 | (Renaissance Hotel)Washington D.C., USA |
June 17 - 19, 2002 | NetSec 2002 | San Fransisco, California, USA |
June 24 - 28, 2002 | 14th Annual Computer Security Incident Handling Conference | (Hilton Waikoloa Village)Hawaii |
June 24 - 26, 2002 | 15th IEEE Computer Security Foundations Workshop | (Keltic Lodge, Cape Breton)Nova Scotia, Canada |
June 28 - 29, 2002 | Edinburgh Financial Cryptography Engineering 2002 | Edinburgh, Scotland |
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.