A buffer overflow was discovered in gkrellmd. This buffer overflow occurs while reading data from connected gkrellm clients and can lead to possible arbitrary code execution as the user running the gkrellmd server. Fixed packages are available now.

Several buffer overflows and format string errors were found in node. Fixed packages are available now.

In PHP when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a cross-site scripting attack.
A vulnerabilitiy in the Gnome Display Manager (GDM) allows local users to read any text file on the system, in addition, a denial of service issue exists, if X Display Manager Control Protocol (XDMCP) is enabled.
A cross-site scripting vulnerability exists in the start_form() function in CGI.pm.
Fixed packages are available now.

Several shells create insecure temporary files with a name based on a process id. Patches are available now.

A vulnerabilitiy in the Gnome Display Manager (GDM) allows local users to read any text file on the system, in addition, a denial of service issue exists, if X Display Manager Control Protocol (XDMCP) is enabled.
Fixed packages are available now.

A bug in the getgrouplist function can cause a buffer overflow if the size of the group list is too small to hold all the user's groups. This overflow can cause segmentation faults in user applications, which may have security implications, depending on the application in question. New packages are available now.

If a long password is supplied to the libpam-smb PAM authentication module, this can cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the process which invokes PAM services. Patches are available now.

Within the last the last week 51 new vulnerabilities have been reported:

An attacker able to control DNS responses sent to affected sendmail servers using DNS maps may be able exploit an uninitialized data structure in servers running sendmail 8.12.x, where x < 9. This may lead to the sendmail daemon crashing, or possibly the execution of arbitrary code on the server. A patch is available now.

Helix Universal Server are vulnerable to a root exploit when certain types of character strings appear in large numbers within URLs destined for the server's protocol parsers. A patch is not available yet. As a workaround the "View Source" plug-in can be removed.

KisMAC is a popular wireless network identification and analysis tool. In the event that the "SUID Shell Scripts are enabled" checkbox (inside of the driver tab under preferences) is enabled, an attacker with local interactive access can become root through several different mechanisms. This feature is off by default. It's recommended to upgrade to version 0.05d4 and not to enable this functionality on a multi-user machine.

Several vulnerabilities in the kernel should be fixed as soon as possible with the new packages, Red Hat has published now.

Computers infected with the Sobig.F worm are programmed to automatically download an executable of unknown function from a hard-coded list of servers today at 19:00 UTC (3:00pm EDT) using port 8998/udp. Due to this ISS X-Force recommends to filter outbound connections to 67.73.21.6, 68.38.159.161, 67.9.241.67, 66.131.207.81, 65.177.240.194, 65.93.81.59, 65.95.193.138, 65.92.186.145, 63.250.82.87, 65.92.80.218, 61.38.187.59, 24.210.182.156, 24.202.91.43, 24.206.75.137, 24.197.143.132, 12.158.102.205, 24.33.66.38, 218.147.164.29, 12.232.104.221, 68.50.208.96 and to block port 8998/udp outgoing.

For the already known vulnerability in 'Gome Display Manager (GDM)' an update is now available.

A vulnerabilitiy in the Gnome Display Manager (GDM) allows local users to read any text file on the system, in addition, a denial of service issue exists, if X Display Manager Control Protocol (XDMCP) is enabled.
Fixed packages are available now.

Oracle XML Database (XDB) 9.2.0.1 has multible vulnerabilities, attacks can be done because of buffer oveflows in its FTP and HTTP services.
Currently there are no patches available so traffic filtering is required.

An improper bounds check in the semget(2) system call can allow a local user to cause a kernel panic. A patch is available now.

Since some time, the new worm W32/Sobig.F is in the wild. This wurm uses a since long time already known security hole: the user of Microsoft operating systems, who opens and execute attachements without any proper installed and up-to-date anti-virus software.

The worm starts then a program which searches for e-mail addresses in post boxes. Afterwards it sends itself by generating e-mails with random choosen sender and recipient addresses.
The new version was improved, the worm's SMTP client now is multi-threading enabled, means it can send multible e-mails at one time.
Improvements can be done e.g. by:
- teach users
- use up-to-date anti-virus software on all clients
- prohibit e-mail relaying from internal to external in case of usage of non internal sender addresses
In addition, the e-mail traffic can be reduced by disabling the sender notification on anti-virus gateway in general (recommended) or at least in case of detected worms, which choose random sender addresses (such notification is useless).

For incoming blocking on a SMTP gateway already extensions are published (without any warranty): Postfix, Sendmail/Exim.

For the already known vulnerability in 'perl-CGI' module an update is now available.

No further comment due to Microsoft insisting on their copyright on advisories.

A new cumulative Patch for Internet Explorer was published.
No further comment due to Microsoft insisting on their copyright on advisories.

For the already known vulnerabilities in 'unzip' and 'eroaster' updates are now available.

A security issue was found with some of the server behaviors present in Dreamweaver MX, all versions of UltraDev, and two extensions that shipped as part of the Developer's Resource Kit (DRK), vol. 2 and vol. 4. If exploited, it is possible for an attacker to gain access to certain site-specific cookie and session information.
Patches are available now, see specific instructions on given URL.

Applying an earlier version of the cachefs patche on Solaris 2.6 and Solaris 7 systems can result in erroneously overwriting of the inetd.conf(4) file. This can lead to reenable previously disabled services.
A workaround is described on given URLs. Administrators should review also enabled service in current inetd.conf.

For the already known vulnerabilty in 'unzip' an update is now available.

Three vulnerabilities in metamail were fixed now. These vulnerabilities were publicly known since 1997 or 1999.

An off-by-one error exists in a portion of realpath(3) that computes the length of the resolved pathname. Applications using realpath(3) MAY be vulnerable to denial of service attacks, remote code execution, and/or privilege escalation. A patch is available now.

Potential security vulnerability with Distributed Computing Environment (DCE) where a remote user may cause the service to become unresponsive. Patches are available now.

The initscript (/etc/rc.d/init.d/slpd) of the openslp daemon uses '/tmp/route.check' as a temporarily file in an unsafe manner. Patches are available now.

A buffer overflow was found in exim. Fixed packages are available now.

Within the last the last week 65 new vulnerabilities have been reported:

A buffer overflow was found in the 'netris' clinet software.
A buffer overflow was found in 'autorespond'. This vulnerability could potentially be exploited by a remote attacker to gain the privileges of a user who has configured qmail to forward messages to autorespond.
Fixed packages are available now.

A vulnerabilitiy in unzip allows attackers to overwrite arbitrary files during archive extraction. The previous patches did not stop all cases. Fixed packages are available now.

OpenBSD has published a new version of netris to fix buffer overlows.

Last year, a vulnerability in the processing of filenames within a TFTP read request on IOS devices has been reported. Now, an update of this advisory points out, that also PXM-1 based MGX switches are affected products. A patch is available and should be installed soon.

In Sun Linux 5.0, a directory traversal vulnerability in unzip 5.50 and earlier may allow local users to overwrite arbitrary files during archive extraction. It's recommended to make sure, the right permissions are set and a new patch is installed. A new patch should also installed for fixing an issue with the ptrace function. Due to a security hole an unauthorized local user may be able to gain root access rights on Linux systems, including Sun Linux and Sun Cobalt platforms. Addititionally unprivileged local users may be able to overwrite or create any file on the system if a root user runs Python.

The Sun ONE/iPlanet Web Server is vulnerable to a Denial of Service (DoS) attack by a local or remote unprivileged user. It's recommended to install Sun ONE/iPlanet Web Server 6.0 Service Pack 6 or later.

The Solaris 9 FTP Server, in.ftpd, is based on WU-ftpd (Washington University ftpd) and is affected by a security vulnerability which may allow a local or remote unprivileged user to gain unauthorized root access. Sun describes some workarounds, a patch is pending.

The CERT/CC has received a report that the system housing the primary FTP servers for the GNU software project was compromised. The compromise is reported to have occurred in March of 2003. Because this system serves as a centralized archive of popular software, the insertion of malicious code into the distributed software is a serious threat. As an announcement of FSF indicates, no source code distributions are believed to have been maliciously modified at this time. GNU software obtained from the compromised system should be verified to test the integrity of the downloaded distribution.

It's possible to create a Denial-of-Service attack on the IRIX nfsd by unsing carefully crafted packets which cause XDR decoding errors. This can lead to a kernel panic on the system. A vulnerability in the checkpoint/restart (cpr) system might allow local users to truncate or overwrite certain files without having the permission for it. Patches are available now.

Two vulnerabilities exist in CiscoWorks CMF versions prior to and including 2.1. The first vulnerability is a privilege escalation vulnerability where a guest user may obtain administrative privileges within the application via a specially crafted URL. The second vulnerability is an ability to run arbitrary commands on the CiscoWorks server due to an error in processing user input. Patches are available now.

New kernel packages fix several local and denial of service vulnerabilities.

The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface as described in VU#568148 and CA-2003-16. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies. Microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026.

Within the last the last week 47 new vulnerabilities have been reported:

When handling a URL supplied through the command line, lynx does not filter out characters such as spaces, CR, LF, etc, which allows an attacker to inject HTTP headers and cause program misbehavior[2] by using a specially crafted URL. Patches are available now.

A local or remote unprivileged user may be able to view root privileged files due to a security vulnerability involving the Solaris kcms_server(1) daemon. Patches are available now.

ddskk does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and skk. Fixed packages are available now.

A cross-site scripting vulnerability exists in the start_form() function in CGI.pm. Fixed packages are available now.

The ptrace(2) system call and the `spigot' video capture device driver do not properly validate the signal numbers. The kernel then attempts to deliver a negative or out-of-range signal number. Thus may used to crash the machine or in dertain cases to complete system compromise.
If iBCS2 support were enabled, a malicious user could call the iBCS2 version of statfs(2) with an arbitrarily large length parameter, causing the kernel to return a large portion of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers.
Source code patches are available now.

Due to vulnerabilities in kdelibs and konqueror, OpenBSD has published new versions of these programs.

A Denial of Service (DoS) vulnerability exists in Crob FTP Server 2.60.1. If an attacker sends the FTP server a file whose name contains words such as CON, AUX, COM1, LPT1, the server might stop responding to legitimate requests. A patch isn't available until now.

The Red Hat Update Agent, up2date, automatically queries the Red Hat Network servers and determines which packages need to be updated on your machine. Up2date versions 3.0.7 and 3.1.23 incorrectly check RPM GPG signatures. This allows packages which have no GPG signature to be installed by up2date if they are provided by the Red Hat Network servers. The intended behaviour is that only packages signed with the Red Hat package signing key will be installed. This problem is fixed with new RPMs.

A buffer overflow was discovered in xtokkaetama, involving the "-nickname" command line option. This vulnerability might be exploited by a local attacker to gain gid 'games'. Another buffer overflow in xpcd-svga can be triggered by a long HOME environment variable. This vulnerability could be exploited by a local attacker to gain root privileges. Due to a buffer overflow in zblast-svgalib when saving the high score file, a local user is able to gain gid 'games' by achieving a high score. A vulnerability in pam-pgsql has been found. If the username to be used for authentication is used as a format string when writing a log message, an attacker might execute arbitrary code with the privileges of the program requesting PAM authentication. Patches to fix these vulnerabilities are available now.

The Sun Linux 5.0 file utility version 3.39 and earlier contains a buffer overflow vulnerability in the Executable and Linking Format (ELF) parsing routines. This vulnerability may allow a local unprivileged user to execute arbitrary code with the privileges of the user running the file command. Additionally, a race condition in Sun Linux fileutils 4.1 and earlier versions may allow a local unprivileged user to delete files or directories owned by others.
In the advisories, workarounds are described. Patches will be published soon.

Tcpflow is a network monitoring tool that records TCP sessions in an easy to use and view manner. This tool contains a format string vulnerability that is typically unexploitable. However, there has been at least a couple of network management tools (IPNetMonitorX and IPNetSentryX) that allowed for this vulnerability to be successfully exploited. It's recommended to upgrade tcpflow and ensure that it is not setuid root.

IPNetSentryX and IPNetMonitorX are network tools that provide firewalling and general network monitoring. Both of these tools come with three helper tools that each have security issues associated with them. The first two tools: RunTCPDump and RunTCPFlow allow arbitrary users to monitor the network without requiring any form of authentication or privilege. The third tool, tcpflow (executed by RunTCPFlow), contains a format string vulnerability, allowing arbitrary commands to be run as the user calling the program. Since RunTCPFlow is setuid root and will pass arguments to tcpflow, we can execute arbitrary commands as root. These vulnerabilities are mitigated in the latest version of IPNetSentryX and IPNetMonitorX available from http://www.sustworks.com

If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits. Stunnel would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service. Fixed packages are available now.

In Sun ONE Application Server or Sun ONE/iPlanet Web Server, it may be possible to gather information about the data transmitted over a Secure Sockets Layer (SSL) or a Transport Layer Security (TLS) channel.
In the Sun ONE Application Server it may be possible to view the source code of JavaServer Pages (JSP) applications.
Patches are available now.

If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits. Stunnel would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service. Fixed packages are available now.

GtkHTML is the HTML rendering widget used by the Evolution mail reader. GtkHTML contains a bug when handling HTML messages that could cause the Evolution mail component to crash. Fixed packages are available now.

Several "cross-site-scripting" and SQL injection vulnerabilties were discovered in phpgroupware.
eroaster does not take appropriate security precautions when creating a temporary file for use as a lockfile.
Fixed packages are available now.

Within the last the last week 70 new vulnerabilities have been reported:

The error messages returned by rpc.mountd can be used to determine whether a file exists. A patch is available now.

It is possible to crash an OSI connected system remotely by sending it a carefully prepared OSI networking packet. A patch is available now.

Multiple buffer overflows in man-db, when installed setuid, allow local users to gain privileges via log values of environment variables. Additionally certain DEFINE directives in ~/.manpath, which contained commands to be executed, would be honored even when running setuid, allowing any user to execute commands as the "man" user. Updated packages fix these problems.

A buffer overflow was found wget when handling long URLs. Patches are available now.

An off-by-one error exists in a portion of realpath(3) that computes the length of the resolved pathname. Applications using realpath(3) MAY be vulnerable to denial of service attacks, remote code execution, and/or privilege escalation. Source code patch is available now.

imagemagick's libmagick library creates temporary files without taking appropriate security precautions. Fixed packages are available now.

In PHP when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a cross-site scripting attack. Fixed packages are available now.

Several buffer overflows were found in xfstt, a TrueType font server for the X window system.
mindi does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running mindi.
Fixed packages are available now.

A malformed envelope address can cause the queue manager to lock up until an entry is removed from the queue and also lock up the SMTP listener leading to a DoS. Postfix also allows an attacker to bounce- scan private networks or use the daemon as a DDoS (Distributed Denial of Service) tool by forcing the daemon to connect to an arbitrary service at an arbitrary IP address and receiving either a bounce message or by timing. Fixed packages are available now.

The worm MIMAIL is spreading in the Internet. It exploits vulnerabilities reported in April this year (MS03-014). A typical mail from this worm looks like this:
Subject: your account <any string>
Body: Hello there, I would like to inform you about important
information regarding youremail address.
This email address will be expiring. Please read attachment for details.
Best regards,
Administrator
Attachment: "message.zip"
So please be sure to have the patch from Microsoft installed an to have your antivirus software up to date.

When wireless phone users login to GroupWise WebAccess the userid and password are recorded in the webserver's access_log file below the directory of Apache. How to prevent wireless phone user's userid and password from being written to the access_log is described in the advisory.

Xfstt is a TrueType font server for the X window system which is vulnerable to two classes of vulnerabilities. If a remote attacker sends requests several buffer overruns might be triggered, causing a Denial-of-Service or executing arbitrary code on the server with the privileges of the "nobody" user. Certain invalid data sent during the connection handshake might allow a remote attacker to read certain regions of memory belonging to the xfstt process. This information can be used for fingerprinting and might be an aid for exploiting different vulnerabilities. An updated package fixes these problems.

The Light Extensible Authentication Protocol (LEAP) authentication algorithm supports dynamic derivation of session keys in wireless networks. The authentication relies on a shared secret (the user's logon password) which is known by the client and the network and is used to respond to challenges between the user and the Remote Authentication Dial-In User Service (RADIUS) server. As with most password-based authentication algorithms, Cisco LEAP is vulnerable to dictionary attacks. Creating a strong password policy is the most effective way to mitigate against dictionary attacks. This includes using strong passwords and periodically expiring passwords. Cisco recommends to review and to use their latest security paper.

Multiple exploits for this vulnerability have been publicly released, and there is active development of improved and automated exploit tools for this vulnerability. Known exploits target TCP port 135 and create a privileged backdoor command shell on successfully compromised hosts, but also other ports might be used. So it's strongly recommended to block the concerning ports using a firewall and to update vulnerable systems immediately!

If the udp-small-servers command is enabled, a Cisco IOS software device may reply to malformed udp echo packets with some of the contents stored in a router's memory. By repeatedly sending malformed udp echo packets and capturing the replies, an attacker can obtain portions of the data that is stored in a router's memory. Cisco has published a paper now to use the command "no service udp-small-servers" to avoid this vulnerability.

The well known vulnerability affects OpenVMS also. Local or remote users might obtain the server's private encryption key. An additional vulnerability in OpenSSL may allow remote users to perform an unauthorized RSA private key operation. The resolutions for these vulnerabilities are included in HP SSL for OpenVMS V1.1 kit.

Several security issues have been discovered affecting the Linux kernel that involve the execve() system call, the /proc Filesystem, the RPC code, the STP protocoll and the forwarding table.
Multiple buffer overflows were discovered in atari800, an Atari emulator.
Fixed packages are available now.

The Washington University FTP (File Transfer Protocol) server daemon, 'wu-ftpd', contains an off-by-one buffer overflow. On a vulnerable system, a remote attacker would be able to exploit this bug to gain root privileges. Fixed packages are available now.