The LPRng port (versions prior to 3.6.26), contains a potential vulnerability which may allow root compromise from both local and remote systems. It's is due to incorrect usage of the syslog function. A patch is available now.

The inetd server as shipped with Red Hat Linux 6.2 fails to close sockets for internal service properly. This could make services stop working when the system had leaked sufficient resources. Normally, these services are not turned on.
Several vulnerabilities have been found in BIND, the name server. Some of them could lead to a root-compromise.
Patches are available now.

No further comment due to Microsoft insisting on their Copyright on advisories.

In glibc a vulnerability has been found, which may allow to bind user-defined libraries with the dynamic linker ld.linux.so.2. Kdesu may be tricked out to give the root-password to an attacker. Several holes in BIND may also compromise the root-account. Patches to solve the mentioned problems are available now.

Multiple vulnerabilities have been found in BIND, the Berkeley Internet Name Daemon, versions prior 4.98 and prior 8.2.3. Version 9.x is not affected. Some of the holes may lead to a root-compromise of the system a running a vulnerable BIND. New packages with a corrected BIND are available now and should be installed as soon as possible because tools to exploit the security holes are available.

Some versions of the exmh program use /tmp for storing temporary files. No checks are made to ensure that nobody has placed a symlink with the same name in /tmp. So it's vulnerable to a symlink attack, which may allow an attacker to overwrite any file writable for the user executing exmh. In inn2 also an insecure handling with temporary files has been found. Additionally, a buffer overflow and a Denial-of-Service may be possible. A bug in the way new crontabs are handled may allow an attacker to display arbitrary crontab files on the local system. This only affects valid crontab files so can't be used to get access to /etc/shadow or something. On SPARC Servers, openssh may have the feature that users may not connect to the server. Several critical vulnerabilities have been found in BIND, including the danger of compromised Root-Accounts. Patches to fix the mentioned problems are available.

Multiple vulnerabilities have been found in BIND, the Berkeley Internet Name Daemon, versions prior 4.98 and prior 8.2.3. Version 9.x is not affected. Some of the holes may lead to a root-compromise of the system a running a vulnerable BIND. New packages with a corrected BIND are available now and should be installed as soon as possible because tools to exploit the security holes are available.

As Caldera reports also, several security problems have been discovered in the most recent versions of BINDv8 (8.2.2p7). One of them is a buffer overflow that can potentially exploited to execute arbitrary code with the privilege of the user BIND. A workaround and updated packages are available.

Four critical vulnerabilities have been found in the recent versions of the well known nameserver BIND, affecting many systems:
- ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code
This vulnerability may allow an attacker to execute code with the same privileges as the BIND server. Because BIND is typically run by a superuser account, the execution would occur with superuser privileges.
- ISC BIND 4 contains buffer overflow in nslookupComplain()
This vulnerability can disrupt the proper operation of the BIND server and may allow an attacker to execute code with the privileges of the BIND server. Also here, the root-account may be compromised.
- ISC BIND 4 contains input validation error in nslookupComplain()
This vulnerability may allow an attacker to execute code with the privileges of the BIND server. And again, the root-account may be compromised.
- Queries to ISC BIND servers may disclose environment variables
This vulnerability may allow attackers to read information from the program stack, possibly exposing environment variables. This may help attackers for further attacks.
Please refer to the advisory to get further information about your system and install the patched version!

No further comment due to Microsoft insisting on their Copyright on advisories.

On HP9000 Series 700 and 800 a vulnerability in man has been found. Exploiting this vulnerability, users could cause a Denial-of-Service (DoS). Patches are available and should be installed:

Under some conditions PHP 3.0.17 would crash. Updated packages are available now. A string format vulnerability has been found in icecast. As a consequence, the execution of arbitrary commands is possible. Also here patches are available and should be installed soon.

The way, exmh stores files in the /tmp-directory is insecure and symlink-attacks are possible. Also webmin handles temporary files insecure. This may lead to a root-compromise of the system. Pateches are available now and should be installed as soon as possible.

When squid sends E-Mails to the administrator, a race condition may happen. So arbitrary files could be overwritten. Php4 shows vulnerabilities concerning a Denial-of-Service attack and gives an attacker the possibility to undergo the "engine-on"/"engine-off" state. By "special" HTTP-requests it's possible to cause php4 to serve the next page with wrong values. In apache an insecure opening of temporary files in htdigest and htpasswd has been found. A patch fixes these problems in mod_rewrite. The other problems may also be solved with patches.

The rnd(4) device does not use all of its input when data is written to it. A patch is available now.

XFree86 is a popular X server. It has multiple vulnerabilities that may allow a Denial-of-Service attack. Additionally, local users may gain elevated privileges. Ipfw is a system facility which allows IP packet filtering, redirecting, and traffic accounting. It can be tricked out by packets with the (experimental) ECE flag set. So the rules will accept these packets, even if they don't belong to an established connection. Crontab contains a vulnerability that may allow local users to read any file on the system. Bind shows a vulnerability concerning compressed Zone-Transfers (ZXFR). Under certain circumstances Bind will crash. This problem is solved with Bind 8.2.3. Patches to fix these problems are available now.

No further comment due to Microsoft insisting on their Copyright on advisories.

ATT VNC is a freeware remote control package, using a challenge and response mechanism for authentication. An attacker may use a design flaw in the VNC mechanism to launch a simple man-in-the-middle attack to gain unauthorized access to hosts running VNC. It's recommended to use VNC over encrypted connections only.

Lotus Domino SMTP Server contains a policy feature that can be used to prevent relaying of E-Mail. An attacker may force a buffer overflow by exploiting a hole in this feature. Arbitrary commands may be executed. This vulnerability is fixed in version 5.0.6.

KDE2 comes with the program kdesu to run certain administration commands under the account of the super user. A bug in kdesu allows any user on the system to steal the passwords entered at the kdesu prompt. A serious security problem with ELF shared library loader in glibc can be exploited to overwrite arbitrary files on the system. Patches are available now.

A buffer overflow in sprintf(), micq versions 0.4.6 and previous, has been found. It allows remote attackers to sniff packets to the ICQ server to execute arbitrary code on the victim system. In in the mysql server leads also a buffer overflow to a remote exploit. Splitvt is vulnerable to numerous buffer overflow attacks and a format string attack. An attacker will be able to gain root-access. Versions of the sash package prior to 3.4-4 don't clone /etc/shadow properly, causing it to be made world-readable. A temp file creation bug and a possible format string bug in wu-ftpd were found. With older versions of jazip a user could gain root access for members of the floppy group to the local machine. A heap overflow in tinyproxy may be remotely exploited. An attacker could gain a shell (user nobody) remotely. Patches are available now.

In MySQL as shipped in Red Hat Linux 7.0 several security risks were reported. They concern buffer overflow and information protection issues. They are fixed in version 3.23.32, which is available now. Links for the download of the packages can be found in the advisory.

No further comment due to Microsoft insisting on their Copyright on advisories.

It is possible to view files outside the web root. Also possible is execution of .JSP files outside the web root in the same partition as the web server's root.
Perhaps this bug exists also on other versions, but still not tested.
See given URL for more details like demonstration URLs

A security problem exists in all versions of MySQL after 3.23.2 and prior to 3.23.31. The problem is that the SHOW GRANTS command could be executed by any user making it possible for anyone with a MySQL account to get the crypted password from the mysql.user table. The new 3.23.31 version fixes this.
Solution: Upgrade to newest version, also due libary changes the PHP package must be updated (see given URL for details)

On several occasions, webmin creates temporary files insecurely. This can be exploited by a local attacker to overwrite or create arbitrary files and possibly gain root privilege.
Currently, there are no known exploits for this problem but there is also no workaround available.
Solution: upgrade to fixed packages (see given URL for details)

Multiple vulnerabilities have been discovered in FastStream FTP++ Beta 10 Build 2. The first being a DoS attack where an attacker can flood the FTP server by sending requests of 2048 bytes or greater. The second vulnerability is a condition where an attacker can browse and obtain directory listings outside of the FTP root directory. A simple "ls C:\" would provide the user a directory listing of the C drive. A third vulnerability is how usernames and passwords are stored: FastStream stores them in a file that is unencrypted. FastStream has published a new beta version, eliminating the second vulnerability.

A vulnerability has been identified in LocalWeb 2000 1.1.0. By adding a "../" to an URL an attacker can read files outside of the webroot directory. A patch will be published soon.

In IBM AIX 3.2.x, 4.1.x, 4.2.x, and 4.3.x a format string vulnerability in locale subsystem has been found. A user specified locale file may be used for displaying messages. Because of a security hole, local users may gain root-access to the system. A patch is available.

A stack overflow has been discovered in the file mshtml.dll. It's responsible for parsing HTML. Any program such as Internet Explorer (IE) 4.0 and later, Outlook, and Outlook Express that use this DLL is vulnerable. This vulnerability is low risk because the system "only" crashes, but further actions are not possible. Microsoft will address this bug in the next SP for IE.

A defect in the Support Tool Manager application, typically used for hardware diagnostic purposes, shows a feature which enables local users to cause a Denial-of-Service (DoS). Patches are available and should be installed:

A bug in SSH-1.2.30 involving secure-RPC has been found. The SSH1 protocol is not formally supported by SSH Communications Security. When using secure-RPC to encrypt a secret key file with the SUN-DES-1 magic phrase, SSH generates a "magic phrase" which is easily discoverable by other users on the same host, or in the same NIS+ domain. A patch is available now.

Some vulnerabilities in mod_plsql were reported. Now a new configuration parameter in mod_plsql called exclusion_list can be used to disallow URLs with specific formats from being passed to mod_plsql. A patch introducing this new feature is available now.

There are two security problems with php4 as shipped in Linux-Mandrake 7.2. It is possible to specify PHP directives on a per-directory basis under Apache and a remote attacker could carefully craft an HTTP request that would cause the next page to be served with the wrong values for these directives. The second problem is that although PHP may be installed, it can be activated and deactivated on a per-directory or per-virtual host basis using the "engine=on" or "engine=off" directive. PHP can "leak" the "engine=off" setting to other virtual hosts on the same machine, effectively disabling PHP for those hosts and resulting in PHP source code being sent to the client instead of being executed on the server. These
vulnerabilities are corrected in PHP 4.0.4pl1.

The LD_PRELOAD variable in the GNU C Library is honoured normally even for SUID/SGID applications (but removed afterwards from the environment) if it does not contain '/' characters. There is a special check which only preloads found libraries if they have the SUID bit set. However, if a library has been found in /etc/ld.so.cache, this check was not performed. As a result, a malicious user could preload some library located in /lib or /usr/lib before SUID/SGID applications and create or overwrite a file he would normally have permission to. As well, LD_PROFILE output from SUID programs would go into /var/tmp, making it vulnerable to various link attacks.
Solution: update package (see links for details)

The Verity search engine can allow remote users to view world-readable system files and gain privilaged acces on a UnixWare 7 server that is running scohelp(X1) because it is vulnerable to buffer overflows.
A workaround is to disable scohelphttp(X1M) on your systems. This can be done using the command: scohelphttp disable, but has the disadvantage of disabling access to manpages and online documentation.
For customers with UnixWare 7 Release 7.0.0 and 7.0.1 a solution is to upgrade to UnixWare 7 Release 7.1.1 because 7.0.0 and 7.0.1 are no longer supported.
Customers using UnixWare 7 Release 7.1.0 and 7.1.1 should apply PTF7684a to their systems. See advisory for details.

WireX discovered a temporary file creation bug in the 2.6.1 release of wu-ftpd. The problem exists in the privatepw helper program. As well, Linux-Mandrake 7.2 users must update to this package as it fixes security problems as discussed in the prior advisory, MDKSA-2000:014, which had not been previously addressed for 7.2.

The DHCP server and client have probems in the error logging code. An attacker can potentially overflow a static buffer, and provide a string containing formatting directives. Solution is to upgrade to fixed packages.
Mgetty has a /tmp/ file problem in the fax reception code which could allow determined attackers to overwrite system files. Solution is to upgrade to fixed packages.
INN uses a temporary directory for several operations. Those operations use it in a unsecure manner, which would allow an attacker to gain access to the news user. Since INN is not supposed to work in a public temporary directory, please use the described workaround to change the temp directory to a news private one.

Linux.Ramen is a collection of Linux scripts and utilities that arrives on the infected system as Ramen.tgz. It attempts to locate web servers that are running Red Hat Linux versions 6.2 or 7.0. Default installations of these two Linux versions contain applications that have several security flaws, namely rpc.statd and wu-ftpd. The worm attempts to exploit these flaws to gain access to the server in order to replace the home page of that server with the message:
RameN Crew--Hackers looooooooooooove noodles.
The worm scans the Internet for servers with such security holes. The scan will use large amounts of Internet bandwidth, which may flood lower bandwidth servers. This worm has no other malicious capabilities.
To prevent affection update to the latest version of all packages and disable not used daemons at Red Hat Download
More information about the exploited daemons are shown at CA-2000-17 (rpc.statd) and CA-2000-13 (wu-ftpd)

Several security holes were found in the ports collection of FreeBSD:

Georgi Guninski reports about a security vulnerability in Windows Media Player 7 in conjunction with IE and Java enabled, which allows reading local files and browsing directories which in turn allows the execution of arbitrary programs. This may lead to taking full control over user's computer. A demonstration is available, a patch is not available yet. Workaround: disable Java.

A couple of bugs in GNU C library 2.2 allow unpriviledged user to read restricted files and preload libraries in the directories /lib and /usr/lib into SUID programs even if those libraries have not been marked as such by root. Patches are available now.

The arp program displays and modifies the Internet-to-Ethernet address translation tables used by the address resolution protocol (arp). Prior to Solaris 8, arp was setgid making it susceptible to certain setgid attacks. Patches are available now - they are pointed out in the advisory.

A potential temporary file race problem in the vpop3d program in the linuxconf package has been found and is being now corrected with an available patch.

In Debian Linux 2.2 mgetty doesn't create temporary files securely. This may lead to a symlink attack. Patches are available now and should be installed as soon as possible.

No further comment due to Microsoft insisting on their Copyright on advisories.

Interbase is an open source database package. In this a compiled-in back door account with a known password has been found. This back door allows any local user or remote user able to access port 3050/tcp to manipulate any database object on the system. This includes the ability to install trapdoors or other trojan horse software in the form of stored procedures. In addition, if the database software is running with root privileges, then any file on the server's file system can be overwritten, possibly leading to execution of arbitrary commands as root. Affected are Borland/Inprise Interbase 4.x and 5.x, Open source Interbase 6.0 and 6.01, and Open source Firebird 0.9-3 and earlier. A patch is available for Borland and the Firebird project.

WireX discovered potential temporary file race conditions in several programs. Upper shown URLs guide you to the updates.

Georgi Guninski has found a new hole in Oracle in combination with Java. The Oracle XSQL servlet is installed by default with Oracle 8.1.7 under Windows 2000. This is java code and so not restricted to Windows. The XSQL servlet allows specifying external xslt stylesheets which may reside anywhere. It's possible to execute java on the web server in the xslt stylesheet, which may lead to a compromise of the web server. Further information can be found in the advisory. A patch is available now.

A server that uses the 'swait' state in the /etc/inetd.conf file can be made to interfere with one or more services started by inetd. So attackers may make the inetd hang. Patches are available and should be installed:

Georgi Guninski reports that it's possible to view most types of CGI files if a special request is sent to the Microsoft Internet Information Server 5.0, patched against file fragment reading vulnerability. This works with using a request of the type %3F+.htr. A patch is not available yet.

Two vulnerabilities have been discovered in WinRoute Pro 4.1. A first vulnerability causes the software not ro function if memory write protection under Windows 2000 is enabled. During the installation process, WinRoute Pro disables memory write protection, which leaves the system less stable and vulnerable to various security threats. A second vulnerability is caused by POP3: WinRoute Pro lets anyone use Windows NT domain credentials to access mailboxes. If POP3 is used to access mail, WinRoute Pro lets this information sent in clear text This could lead to the compromise of the whole network. Patches will be published soon. 

Georgi Guninski reports about a problem in the Web Server of Lotus Domino under Microsoft Windows 2000. Using "special" URL's with Netscape Navigator attackers may read files outside of the area of the Web Server. A demonstration is available. A patch is included in the latest version 5.06a.

Many serious vulnerabilities have been found in the openssh package, along with a compilation problem in the openssh and ssh packages in the SuSE-7.0 distribution. A buffer overflow in has been found in the html parser code of the Netscape Navigator in all versions before and including 4.75. Patches are available now.

In previous versions of MandrakeUpdate a problem has been found. The reporting of the serverity of the problems with updated packages was not ok. This problem affects Linux Mandrake 7.2 only. A patch is available.

Georgi Guninski reports about a security vulnerability in Windows Media Player 7, which is exploitable throuth the Internet Explorer. This vulnerability allows reading local files which in turn allows executing arbitratrary programs. This may lead to taking full control over user's computer. A demonstration is available, a patch is not available yet.