An unprivileged local user may be able to gain unauthorized root privileges due to a buffer overflow in the runtime linker ld.so.1(1). Patches are available now.

Konqueror may inadvertently send authentication credentials to websites other than the intended website in clear text via the HTTP-referer header. This can occur when authentication credentials are passed as part of a URL in the form http://user:password@host/
Fixed KDE packages are available now.

Buffer overflows were found in the games xconq and xtokkaetama.
A a cross site scripting vulnerability was discovered in gallery.
Fixed packages are available now.

It's been reported that the IRIX name services daemon "nsd" can be exploited in various ways through the AUTH_UNIX gid list. This could result in an attacker gaining root access. Patches are available now.

When configured to allow password-based or challenge-response authentication, sshd (the OpenSSH server) uses PAM (Pluggable Authentication Modules) to verify the user's password. Under certain conditions, OpenSSH rejects an invalid authentication attempt without first attempting authentication using PAM. The amount of time sshd takes to reject an invalid authentication request varies widely enough that the timing variations could be used to deduce whether or not an account with a specified name existed on the server. Fixed packages are available now.

sup, a package used to maintain collections of files in identical versions across machines, fails to take appropriate security precautions when creating temporary files. A local attacker could exploit this vulnerability to overwrite arbitrary files with the privileges of the user running sup. Fixed packages are available now.

The Samba version that is shipped with Solaris 9 is vulnerable to buffer overflows that are known for some time (march, april) Patches are available now.

Within the last the last week 57 new vulnerabilities have been reported:

Two patches for HP-UX, PHNE_26413 and PHNE_27128, introduce the potential for local Denial-of-Service attacks. The solution is to remove these patches.

Buffer overflow vulnerabilities involving the variable "ul" and "q" were found in mnoGoSearch which can be exploited remotely to execute arbitrary commands with the privileges of the webserver. Patches are available now.

It is possible to cause Cisco Aironet Access Point to crash and reboot if the HTTP server feature is enabled. This can be accomplished by submitting a specially crafted request to the web server. There is no need to authenticate to perform this attack, only access to the web server is required. Only IOS based, not VxWorks based, Cisco Aironet Wireless Devices are affected. Fixed IOS software is available now.

The GnuPG plugin in kopete allows remote attackers to execute arbitrary commands in the client context by sending specially crafted messages to it. It's recommended to install this new patch.

It is possible to make the apache httpd server enter infinite loops and crash under certain circumstances.
Leaks of several file descriptors to child processes, such as CGI scripts, were found in apache.
Patches are available now.

Several security issues have been discovered affecting the Linux kernel that involve the execve() system call, the /proc Filesystem, the TTY layer, and the mxcsr code. Fixed kernel are available now.

If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits. Stunnel would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service. Fixed packages are available now.

Potential security vulnerabilities have been discovered in the EXTPROC executable of the Oracle Database. An attacker might be able to execute arbitrary code against the Oracle database by exploiting buffer overflows in this executable. Affected are Oracle 8i and Oracle 9i as well.
Two vulnerabilities have been discovered in the Oracle E-Business Suite. The program FNDWRR CGI is vulnerable to malformed request, so potential attackers might cause the FNDWRR executable to crash. This doesn't lead to a Denial-of-Service, but it may grant a user unauthorized access to Oracle E-Business Suite. As another vulnerability, a set of JSPs allows users to view product configuration and host system diagnostic information without authentication. Affected are Oracle E-Business Suite 11i and all releases of Oracle Applications.
Patches are available and should be installed soon.

Race conditions due to insecure temporary file creation were found in packages 'semi' (a MIME library for GNU Emacs). Fixed packages are available now.

No further comment due to Microsoft insisting on their copyright on advisories.

No further comment due to Microsoft insisting on their copyright on advisories.

No further comment due to Microsoft insisting on their copyright on advisories.

A buffer overflow was found wget when handling long URLs.
A buffer overflow bug was found in the CHAP implementation of freeradius.
Patches are available now.

Several "cross-site-scripting" vulnerabilities were discovered in phpgroupware. By exploiting these vulnerabilities, a remote attacker can obtain sensitive information such as authentication cookies, or change the behavior of the browser by crafting a special URL with javascript in it and somehow having an user click on it.
A vulnerability in the way mpg123 handles mp3 files with a bitrate of zero may allow attackers to execute arbitrary code using a specially crafted mp3 file.
Fixed packages are available now.

Merge includes a security vulnerability in /usr/lib/merge/display that could be exploited to allow unauthorized root access to the UNIX system by an unprivileged user with a UNIX login. A patch is available now.

Solaris 8 systems configured to use Internet Protocol Version 6 (ip6(7P)) may panic when processing certain IPv6 packets.
Solaris 8 LDAP clients may log the proxy agent user's password as clear text.
Anonymous FTP sessions are not audited when the Basic Security Module (BSM) is used.
Patches or workarounds are available now.

A buffer overflow bug was found in nfs-utils. This bug could be exploited by an attacker, causing a remote Denial of Service (crash).
Conectiva kernels are affected by several long known vulnerabilities.
Several long known vulnerabilties were fixed in cups.
Fixed packages are available now.

fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. Fixed packages are available now.

Certain Gigabit Ethernet LAN-on-Motherboard (LOM) and Network-Interface-Card (NIC) implementations may experience a DMA Write Engine loss of synchronization when transferring data from adapter/chip memory to host CPU memory. Patches are available now.

Four vulnerabilities in Apache 2:
Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one.
Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM.
Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket.
The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests.
Apache 2.0.47 has been released to close these vulnerabilities.

A buffer overflow bug was found in nfs-utils. This bug could be exploited by an attacker, causing a remote Denial of Service (crash). Fixed packages are available now.

Four vulnerabilities in Apache 2: Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM. Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket. The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests.
A buffer overflow bug was found in nfs-utils. This bug could be exploited by an attacker, causing a remote Denial of Service (crash).
Fixed packages are available now.

Several security issues have been discovered affecting the Linux kernel that involve the execve() system call, the /proc Filesystem, the RPC code, the STP protocoll and the forwarding table. Fixed kernel are available now.

Within the last the last week 72 new vulnerabilities have been reported:

Security fixex for mpg123, a player for MP3-files, and ucd-snmp have been published now.

Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service attack. Working exploit code has now been made publicly available. This increases the threat posed to those sites which haven't yet taken the mitigation steps outlined in the Cisco Advisory. Fixed IOS software is available now.

Two vulnerabilities were found in the Java(TM) Runtime Environment that may allow an untrusted applet to access restricted resources or trusted applets. Patches are available now.

Several vulnerabilities were found in the IRIX Name Service Daemon (nsd).
Lgging into an IRIX 6.5 machine while particular environment variables are set can lead to /usr/lib/iaf/scheme (login) dumping core. Since "scheme" is suid root, this could potentially lead to a root compromise.
Patches are available now.

A buffer overflow bug was found in nfs-utils. This bug could be exploited by an attacker, causing a remote Denial of Service (crash). Fixed packages are available now.

Several "cross-site-scripting" vulnerabilities were discovered in phpgroupware. By exploiting these vulnerabilities, a remote attacker can obtain sensitive information such as authentication cookies, or change the behavior of the browser by crafting a special URL with javascript in it and somehow having an user click on it. Updated packages solve these problem.

In PHP when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a cross-site scripting attack. Fixed packages are available now.

No further comment due to Microsoft insisting on their copyright on advisories.

No further comment due to Microsoft insisting on their copyright on advisories.

No further comment due to Microsoft insisting on their copyright on advisories.

Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service attack. A sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. Fixed IOS software is available now.

A buffer overflow bug was found in nfs-utils. This bug could be exploited by an attacker, causing a remote Denial of Service (crash). Fixed packages are available now.

A vulnerability in the way mpg123 handles mp3 files with a bitrate of zero may allow attackers to execute arbitrary code using a specially crafted mp3 file.
A remote heap overflow was found in snmpnetstat. When a list of interfaces is requested, a malicious server can return information in a way that will cause a heap overflow in snmpnetstat.
Updated packages solve these problem.

Mandrake kernels are affected by several long known vulnerabilities. Fixed packages are available now.

The falconseye package is vulnerable to a buffer overflow exploited via a long -s command line option. This vulnerability could be used by an attacker to gain gid 'games' on a system where falconseye is installed. Fixed packages are available now.

A heap-based buffer overflow in Netscape and Mozilla allows remote attackers to execute arbitrary code via a jar: URL referencing a malformed .jar file, which overflows a buffer during decompression. Fixed packages are available now.

Within the last the last week 61 new vulnerabilities have been reported:

A vulnerabilitiy in unzip allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence.
A buffer overflow bug was found in nfs-utils. This bug could be exploited by an attacker, causing a remote Denial of Service (crash).
SuSE kernels are affected by several long known vulnerabilities.
Patches are available now.

When evaluating trust values for the UIDs assigned to a given key, GnuPG would incorrectly associate the trust value of the UID having the highest trust value with every UID assigned to this key. An updated package solves this problem.

A buffer overflow bug was found in nfs-utils. This bug could be exploited by an attacker, causing a remote Denial of Service (crash). Fixed packages are available now.

A buffer overflow bug was found in nfs-utils. This bug could be exploited by an attacker, causing a remote Denial of Service (crash). Fixed packages are available now.

A buffer-overflow vulnerability exists in Windows XP Service Pack 1's (SP1's) rundll32.exe file. Microsoft hasn't yet responded to this problem.

traceroute-nanog contains an integer overflow bug which could be exploited to execute arbitrary code. traceroute-nanog is setuid root, but drops root privileges immediately after obtaining raw ICMP and raw IP sockets. Thus, exploitation of this bug provides only access to these sockets, and not root privileges. New packages are available now.

imagemagick's libmagick library creates temporary files without taking appropriate security precautions.
A vulnerabilitiy in unzip allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence.
Fixed packages are available now.

A vulnerability was found in an internal protocol used for copying data between servers. In some circumstances the protocol will allow non-privileged accounts to access application source code, modify applications, reconfigure the administrative settings of the server and in some installations, even alter the operating system files.
If the Console isn't protected by a firewall, under some circumstances it can be accessed through the managed server's listen port.
A vulnerability might occur, when there are users in the Operator role who are not also in the Admin role and the NodeManager is used to start servers. The users in the Operator role unintentionally have read and write access to the username and password used for remote starting each server, also for Admin users.
If the Node Manager is in use on a machine and users besides those in the WebLogic Server Admin and Operator roles have access to a process listing on that machine. So users who have access to the machine can, see the command lines of all machines running on the machine and acquire the password. So the Node Manager's account might be compromised.
Patches solve the problems mentioned.

Hangul Terminal is a terminal emulator for the X Window System, based on Xterm and showing a vulnerability when using escape-sequences. As for the "normal" Red Hat Linux also, updated Ethereal packages fix a number of remotely exploitable security issues. Netscape 4.8 has been published now, providing improvements in security and bug fixing.

Imp is a webmail system which uses the Horde framework. It can optionally store user preferences, contacts list and session IDs in a SQL database. A remote attacker can exploit a SQL injection vulnerability to execute SQL commands and possibly get session IDs and steal another user's webmail session. Other consequences are possible and depend on the privileges Imp has in the database. An update solves this problem and makes Imp compatible with PHP 4.3.2.
PHP is a very popular scripting language used by web servers to offer dynamic content. Now, an update to version 4.3.2 is available, fixing some vulnerabilities.
PAM is the authentication system used in Linux. Pam_xauth is an authentication module which makes it possible to forward X credentials from one user to another in order to share an X display. It is particularly useful in applications such as "su". A vulnerability in the use of pam_xauth by the su utility has been found. If the attacker can make one user run su from an X session, he can steal the X credentials and execute programs in the X display of the user running su. An updated package solves this problem.

Four vulnerabilities in Apache 2:
Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one.
Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM.
Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket.
The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests.
Apache 2.0.47 has been released to close these vulnerabilities.

No further comment due to Microsoft insisting on their copyright on advisories.

No further comment due to Microsoft insisting on their copyright on advisories.

After receiving eight TCP connection attempts using a non-standard TCP flags combination, a Catalyst switch will stop responding to further TCP connections to that particular service. In order to re-establish functionality of that service, the switch must be rebooted. Fixed software is available now.

'skk' (a simple Kana to Kanji conversion program) and its derivate 'ddskk' contain a race condition on use of temporary files.
'unzip' contain the already known directory traversal vulnerability.
'xbl' (a game) contains a buffer overflow which leads to permissions of group 'games'.
'phpsysinfo' (webbased program to display system status information) contains directory traversal vulnerabilities which can lead to allow local files via web or execute arbitrary PHP code with permissions of the web server process user.
'teapop' (a POP-3 server) is vulnerable against SQL injection, this can be used to execute any SQL with the permissions of the authenticated user.
New packages are available now.

For the already known vulnerabilty in 'unzip' an update is now available.

ColdFusion MX and JRun 4.0 will show source code while browsing .cfm, .cfc, .cfml (ColdFusion MX) or .jsp (JRun) pages if the user appends an encoded space to the end of a URL. This vulnerability only affects Apache 1.3.x and 2.x versions on Windows.
Patches are now available.

Within the last the last week 34 new vulnerabilities have been reported:

A failed password extended operation (password EXOP) can cause openldap to, if using the back-ldbm backend, attempt to free memory which was never allocated, resulting in a segfault. Package updates are now available.

A vulnerabilitiy in unzip allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. Fixed packages are available now.

liece, an IRC client for Emacs, does not take appropriate security precautions when creating temporary files.
mozart, a development platform based on the Oz language, includes MIME configuration data which specifies that Oz applications should be passed to the Oz interpreter for execution. This means that file managers, web browsers, and other programs which honor the mailcap file could automatically execute Oz programs downloaded from untrusted sources.
New packages are available now.

For the already known vulnerabilty in 'unzip' an update is now available.

Race conditions due to insecure temporary file creation were found in packages 'semi', 'wemi' (MIME libraries for GNU Emacs) and 'x-face-el' (decoder for images included inline in X-Face).
New packages are available now.

The vulnerabilties in 'xpdf' and 'unzip' are already described.
Package 'ml85p' (printer driver for the Samsung ML-85G and QL85G printer models) contain also insecure temporary file creation.
For all 3 packages updates are now available.

For the already known vulnerabilties in 'xpdf' and 'ypserv' Sun now provides updated packages.

A new fis for PHP corrects two possible vulnerabilities. The first is an internal error of the PHP interpreter, which will crash under some circumstances when session functions are used. Additionally, the handling of the session file is improved and corrected. It's recommended to install this new patch.

A vulnerabilitiy in unzip allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. Fixed packages are available now.

In several cases, kde applications call the ghostview program to handle PS and PDF files in an insecure way (without the -DPARANOIDSAFER or -SAFER parameters), which may allow attackers to execute commands using crafted PS/PDF files. Fixed packages are available now.

Several vulnerabilities were found in a lot of the protocoll dissectors of ethereal. These vulnerabilities may lead to execution of arbitrary code. Affected are the dissectors for 802.11, AIM, BGP, CLNP, DCERPC, DNS, GIOP Gryphon, ISAKMP, ISIS, Mount, OSI, OSPF, PPP, PPTP, Quake, Quake2, Quake3, RMI, Rsync, SMB, SMPP, SPNEGO, TSP, WSP, WTP, BGP, WTP, DNS, 802.11, ISAKMP, WSP, CLNP, ISIS, and RMI. Fixed packages are available now.

A vulnerability in Active Directory allows an attacker to crash and force a reboot of any Windows 2000 Server running the Active Directory service. The vulnerability can be triggered when an LDAP version 3 search request with more than 1000 "AND" statements is sent to the server, resulting in a stack overflow and subsequent crash of the Lsaas.exe service. This in turn, will force a domain controller to stop responding, thus making possible a denial of service attack against it. The LDAP request does not need to be authenticated. A fix for this issue is included in Windows 2000 SP4.

Several bugs were found in Opera 7 for Windows Web browser that can result in a Denial of Service (DoS) condition. A patch is not yet available.

A directory traversal vulnerability was found in NetMeeting when doing File Transfers. An attacker can use filenames containing "..\..\" when doing a file transfer, and in this manner, create a file in any place of the victim's filesystem, escaping the directory where NetMeeting usually stores incoming files (e.g. C:\Program Files\ Received\Received Files). A fix for this issue is included in Windows 2000 SP4 and Windows XP SP1.

On Solaris 8 and Solaris 9 systems with the LDAP name service enabled, an unprivileged local user may be able to gain unauthorized root access due to a buffer overflow in the "nss_ldap.so.1" library. Patches are not yet available.

In PHP when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a cross-site scripting attack. Fixed packages are available now.

A vulnerabilitiy in unzip allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. Fixed packages are available now.

Within the last the last week 49 new vulnerabilities have been reported:

A local unprivileged user may be able to gain unauthorized root privileges due to a buffer overflow vulnerability in the database function routines dbm_open(3C) and dbminit(3UCB).
A local or remote unprivileged user may be able to terminate the syslogd(1M) daemon on a Solaris system by sending large sized syslog(3C) packets.
The Sun ONE Application Server may incorrectly validate user authentication information with LDAP.
A local unprivileged user may be able to gain additional access privileges to VERITAS File System (VxFS) files due to incorrect permissions being set when Access Control Lists (ACLs) are being utilized.
Patches are available now.

The package radiusd-cistron is an implementation of the RADIUS protocol. The RADIUS server does not handle large NAS numbers correctly. This leads to overwriting of internal memory of the server process and may be abused to gain remote access to the system the RADIUS server is running on.
The GnuPG plugin in kopete allows remote attackers to execute arbitrary commands in the client context by sending specially crafted messages to it.
Fixed packages are available now.