A remotely exploitable buffer overflow vulnerability has been found in MPlayer. A malicious host can craft a harmful ASX header and trick MPlayer into executing arbitrary code when it parses that particular header. This problem can be solved with a patch now.

On IBM AIX 5.1 and 5.2 the getipnodebyname API does not close sockets. So a remote or local attacker may execute a denial of service attack against an application that uses getipnodebyname. At the present time, the only application that ships with AIX that uses this API is Sendmail. An official patch has been published now.

On HP-UX B.11.00 a potential Security Vulnerability in socket programs has been found. So a local user might cause a system crash. A patch is available now.

The game 'freesweep' contains a buffer overflow during environment parsing. Local users can get access to group 'games'.
The ligthweight HTTP server 'webfs' has two vulnerabilities. One can be used for retrieving directory listing or files above the document root. The other can triggered by too long pathnames and results in a buffer overflow which can be used for execution of arbitrary code.
Fixed versions are now available.

Within the last the last week 44 new vulnerabilities have been reported:

As reported before for other systems (e.g. @stake), many network device drivers reuse old frame buffer data to pad packets, resulting in an information leakage vulnerability that may allow remote attackers to harvest sensitive information from affected devices. Now, also SCO has released a patch for UnixWare 7.1.1., 7.1.3., and Open Unix 8.0.0.
For the remotely exploitable vulnerability in sendmail that could allow an attacker to gain control of a vulnerable sendmail server (see also ae-200309-030 a patch has been released.

A problem has been discovered in Apache2 where CGI scripts that output more than 4k of output to STDERR will hang the script's execution which can cause a Denial of Service on the httpd process because it is waiting for more input from the CGI that is not forthcoming due to the locked write() call in mod_cgi. A patch is available now.

When processing the HOME environment variable, a buffer overflow in marbles might occur. This vulnerability could be exploited by a local user to gain gid 'games'. For the current stable distribution (woody) this problem has been fixed in version 1.0.2-1woody1.

It has been reported that certain Microsoft RPC scanning can cause the DCE daemon dced to abort, causing a denial of service vulnerability. This vulnerability has been corrected with patches to DCE 1.2.2c.

A vulnerability in Mondosoft MondoSearch 5.1, 5.0, and 4.4 for Windows can result in the execution of arbitrary code on a vulnerable computer. One of the default installation files, msmsetup.exe, contains a vulnerability that lets malicious users create files with user-specified content on the Web server or anywhere that the executing user (typically IUSR_xxx) has write access. Mondosoft has published a patch to solve this problem.

A vulnerability in the WZDftpD FTP Server for Windows can result in a Denial of Service (DoS) condition. Sending a CRLF sequence at logon causes an unhandled exception at the server. A proof-of-concept has been published as well as a patch.

A vulnerability in Speak Freely 7.6a for Windows and earlier can result in a Denial of Service (DoS) condition. Sending multiple spoofed packets (more than 160 packets of 2 bytes or more) results in the termination of the program, with an error message such as, "Cannot create transmit socket for host (x.x.x.x), error 10055. No buffer space is available." SpeakFreely has been notified.

The Sun ONE Application Server may incorrectly validate user authentication information with LDAP. This might happen in Sun ONE Application Server 7.0, for which an update is available now.

A security update fixes two possible buffer overflows in expand_string and in writing entries to the syslog. Additionally a format string vulnerability in usr2_handler has been fixed.

The Guardian Digital WebTool provides functionality allowing local users to generate their own SSH keys. The data are passed around with HTTP GET instead of HTTP POST with the result of these data and the rest of the query string being logged in /var/log/userpass.log. It's recommended to install an update as soon as possible.

PHP is a very popular scripting language used by web servers to offer dynamic content. Version 4.3.3 PHP includes several fixes and improvements, including fixes for potential integer overflow vulnerabilities. The exploitation of these vulnerabilities depend on the PHP application and the scenario where it's executed.

An attacker capable of uploading files to the vulnerable system can trigger a buffer overflow and execute arbitrary code to gain complete control of the system. Attackers may use this vulnerability to destroy, steal, or manipulate data on vulnerable FTP sites. Patches and updated packages are available from ftp.proftpd.org.

The Address Resolution Protocol (ARP) is fundamental to the operation of IP with a variety of network technologies, such as Ethernet and WLAN. It's used to map IP addresses to MAC addresses, which enables hosts on a local network segment to communicate with each other directly. These mappings are stored in the system's ARP cache. The ARP cache is implemented within the kernel routing table as a set of routes. Normally the system adds a reciprocal ARP entry to the cache for the system from where the request originated. Expiry timers are used to purge unused entries from the ARP cache. If a large number of ARP requests with different network protocol addresses are sent in a small space of time, resource starvation can result, as the arplookup function does not delete unnecessary ARP entries cached as the result of responding to an ARP request. This leads to a system panic, Denial-of-Service. This problem can be solved by installing a patch.

On HP9000 Series 700/800 running HP-UX release B.11.00 in ipcs a buffer overflow has been found. So local users to get unauthorized access or create denial of service (DoS). This flaw can be fixed by installing the patch PHCO_29043.

When being logged in as root, the desktop can't lock the screen via XScreenSaver. It will not lock when selecting "Lock Screen" from the "Actions" menu item and for root desktop sessions, the screen will not automatically lock after a period of inactivity. Workarounds are not to log in as root or to lock the screen manually by using 'xlock' at the command line interface, but better will be the installation of a patch, which has been published now.

Washington University's FTP daemon (WU-FTPD) is an FTP server included with most Linux distributions. WU-FTPD versions 2.6.2 and earlier are vulnerable to a buffer overflow in the SockPrintf function in the ftpd.c file, if the server is compiled with the MAIL_ADMIN option, which is not the default configuration. A remote attacker with file upload privileges might upload a large file to overflow a buffer and possibly execute arbitrary code on the system with privileges of the WU-FTPD process.
Patches and updated packages are available now.

Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). The OpenBSD releases of OpenSSH do not contain this code and are not vulnerable. Older versions of portable OpenSSH are not vulnerable.
The mentioned problem is solved in OpenSSH 3.7.1p2.

Within the last the last week 49 new vulnerabilities have been reported:

Updated Apache and mod_ssl packages that fix several minor security issues are now available for Red Hat Linux 7.1, 7.2, and 7.3.
A bug in the optional renegotiation code in mod_ssl can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation. Additionally, Apache doesn't filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. It's also possible to get Apache 1.3 to get into an infinite loop handling internal redirects and nested subrequests.

Two security issues have been found in Perl. When safe.pm versions 2.0.7 and earlier are used with Perl 5.8.0 and earlier, it's possible for an attacker to break out of safe compartments. This issue doesn't affect the Perl packages which shipped with Red Hat Linux 9. Additionally, a cross-site scripting vulnerability has been discovered in the start_form() function of CGI.pm. This allows a remote attacker to insert a Web script via a URL fed into the form's action parameter.
These problems can be fixed by installing an updated package.

The package ipmasq simplifies the configuration of Linux IP masquerading, a form of network address translation which allows a number of hosts to share a single public IP address. Due to use of certain improper filtering rules, traffic arriving on the external interface addressed for an internal host will be forwarded, regardless of whether it was associated with an established connection. This vulnerability might be exploited by an attacker capable of forwarding IP traffic with an arbitrary destination address to the external interface of a system with ipmasq installed. This problem can be solved by installing the updated package.

The Real Networks Helix Universal Server and RealSystems Servers are vulnerable to a root compromise. The affected versions are the Helix Universal Server 9.01, 9.0.2.794 RealSystem Server 8.0 and 7.0. A carefully crafted request to the server could give an intruder root access. So it's recommended to upgrade to Helix Universal Server 9.0.2.802 or remove the View Source plugin from the plugins directory and restart the server.

ColdFusionMX Web Sites that use the default ColdFusionMX Site-Wide Error Handler page or the default ColdFusionMX Missing Template Handler page may be susceptible to a cross-site scripting attack using the HTTP Referer[sic] header field. Macromedia has published patches and notified customers using affected versions.

A vulnerability in Plug & Play Software's Plug & Play Web Server for Windows can result in unauthorized read access to any file located on the vulnerable server. By using the "../" or "..\" string in an URL, an attacker can gain read access to any file that resides outside the intended Web-published file system directory. Plug & Play Software has been notified, so a patch will be published soon.

A vulnerability in WideChapter Internet Browser for Windows can result in the execution of arbitrary code on the vulnerable system. By initiating a long HTTP request, an attacker can cause a buffer overflow in WideChapter when JavaScript is activated. This overflow permits modification of the Execution Instruction Point, which lets the attacker execute arbitrary code. An exploit is available in the Internet. Until a patch is available, it's recommended to disable JavaScript.

DB2 is IBM's relational database software, oriented toward the deployment and development of e-business, business intelligence, content management, enterprise resource planning and customer relationship management solutions. DB2 can be deployed in AIX, HP-UX, Linux, Solaris and Windows environments. IBM's DB2 database ships with two vulnerable setuid binaries: db2licm and db2dart. Both binaries are vulnerable to a buffer overflow that allows a local attacker to execute arbitrary code on the vulnerable machine with privileges root. Today, only Linux on x86 and S390 seems vulnerable - and for these systems, a patch has been published now.

WS_FTP Server is a widely used FTP Server for Microsoft NT/2000/XP. It contains a buffer overflow when supplying overly long 'STAT' and 'APE' command.
IPSwitch provied patches for 3.x and 4.x versions, current fixed versions are 3.14 and 4.02.

As reported before, some Network Traffic may cause a Denial-of-Service on HP9000 Series 700/800 running HP-UX releases B.11.00, B.11.04, B.11.11, and B.11.22. A patch is available now.
The wu-ftpd program on HP-UX B.11.00, B.11.11, and B.11.22 is potentially vulnerable to a buffer overflow, resulting in a remote Denial-of-Service. It's recommended to install the concerning patches or to disable write-access to the FTP-Server. Additionally, a vulnerability exists in Java Secure Socket Extension (JSSE) where it might be possible to gather information about the data transmitted over a Secure Sockets Layer (SSL) or a Transport Layer Security (TLS) channel with CBC encryption. The issue doesn't expose private or session keys. A second vulnerability might give the chance to extract private keys from an SSL server. These probles can be solved by installing an update.

The worm referred to as "Blaster" or "W32.Blaster.worm", may impact HP OpenView products running on Microsoft Windows, HP-UX, Solaris and Linux so the DCE processes may fail. Patches are available and should be installed.

Since short time, the new worm 'W32/Swen' (also known as 'Gibe') is in the wild. This wurm uses also the since long time already known security hole: the user of Microsoft operating systems, who opens and execute attachements without any proper installed and up-to-date anti-virus software.
This worm is a little bit smarter, he looks like an e-mail from Microsoft and has an executable file attached which the worm describes as a security patch...but it's the worm itself.
The worm is looking for addresses on the local system and sends itself to them, also it tries to infect systems via network shares, KaZaa and IRC.

Additional hint: Microsoft doesn't send Patches via e-mail, so never ever trust such e-mails at all. See also: N-153

For the already known vulnerabilites in 'gtkhtml' and 'MySQL', Mandrake provides now updates.

The tsm command provides terminal state management and login functionality which is used to verify users' identity. The services tsm provides are used by commands such as login, passwd and su. Exploiting a format string vulnerability in tsm, a remote attacker can gain root privileges or a local attacker can escalate his privileges to root privileges. An official patch has been published.

NetBSD contains also a version of OpenSSH with the already known vulnerability.
The statfs(2) function of 'iBCS2' can be used to return large portion of kernel memory which can lead to local information disclosure.
In sysctl(2) code of the kernel, three problems were found which can be used by the user to trigger a kernel panic or read arbitrary locations in kernel memory space.

Patches are now available.

Buffer overflows were found in:
- 'hztty' (a translation program for Chinese letters in a terminal session). This can lead to local-root compromise.
- 'gopher'-daemon. This can lead to remote-exploit of the user which runs the daemon (usually 'gopher').

'libmailtool-perl' contain the Perl module Mail::Mailer which is used for sending email. In case of calling external programs like 'mailx', input is not proper filtered and therefore certain escape sequences would be interpreted as commands to be executed.

Fixed packages are available now.

In certain conditions a NFS client can avoid read-only restrictions on filesystems exported via NFS and mount them in read/write mode.
No workaround is available, so upgrade to IRIX 6.5.22 or applying provided patch will help here only.

After fixing the last vulnerability, the code got more review and additional security related fixes were made.
A new version 3.7.1 is now available, vendors of distribution mostly backpatch their delivered version and provide updated packages, too.

A next critical bug was found in the never ending story about vulnerabilities in sendmail. Function prescan() can be exploited by an e-mail containing a malicious header. This results in system compromising.
Applying the existing patch or updating to version 8.12.10 is very recommended.
Even better would be the replacement of this MTA with a more secure designed one, e.g. 'postfix'...

If the sadmind(1M) daemon is utilizing the default security level authentication mechanism of AUTH_SYS, users may be able to forge AUTH_SYS credentials and execute arbitrary commands with the permissions of the sadmind(1M) daemon (normally "root"). Enable strong (AUTH_DES) authentication to fix this problem.

KDM might grant local root access to any user with valid login credentials, as it does not correctly handle the result of a pam_setcred() call.
In addition, the session cookie generation algorithm used by KDM was considered too weak. This could make it possible for non-authorized users to brute-force the session cookie and gain acess to the current session.
Patches are available now.

A vulnerability exists in the buffer management code of OpenSSH. The error occurs when a buffer is allocated for a large packet. When the buffer is cleared, an improperly sized chunk of memory is filled with zeros. This leads to heap corruption, which could cause a denial-of-service condition. This vulnerability may also allow an attacker to execute arbitrary code. Patches are available now.

Within the last the last week 51 new vulnerabilities have been reported:

Three vulneralibities were found in Nokia Electronic Documentation (NED) that allow to use the NED as an open proxy, discloses directory listing of certain directories under the web-root, and allow cross-site scripting attacks. No patches are available.

MySQL contains a buffer overflow condition which could be exploited by a user who has permission to execute "ALTER TABLE" commands on the tables in the "mysql" database. If successfully exploited, this vulnerability could allow the attacker to execute arbitrary code with the privileges of the mysqld process (by default, user "mysql"). Patches are available now.

Several vulnerabilities were discovered in the font libraries of XFree86. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user. Patches are available now.

OpenVMS systems with DCE or COM installed could be vunerable to a remote initated Buffer Overflow which would result a hang of DCE or COM applications on OpenVMS. Patches are available now.

HP has released patches for vulnerabilities in Internet Express sendmail and dtterm.

Several security-related vulnerabilities were discovered in the sane-backends package. These problems allow a remote attacker to cause a segmentation fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf. Fixed packages are available now.

No further comment due to Microsoft insisting on their copyright on advisories.

It is possible for root to raise the value of the seminfo.semmns and seminfo.semmsl sysctls to values sufficiently high such that an integer overflow occurs. This can allow root to write to kernel memory irrespective of the security level. Patches are available now.

Two buffer overflows exist in pine, one in the way the 'message/external-body' type is handled and on in the parsing of MIME headers. Patches are available now.

Certain malformed messages could cause the Evolution mail component to crash due to a null pointer dereference in the GtkHTML library. Fixed packages are available now.

Within the last the last week 47 new vulnerabilities have been reported:

As every quarter, CERT/CC has published a summary pointing out the most important vulnerabilities within the last months. These are:
- W32/Sobig.F Worm
- Exploitation of Vulnerabilities in Microsoft RPC Interface
- Cisco IOS Interface Blocked by IPv4 Packet
- Vulnerabilities in Microsoft Windows Libraries and Internet Explorer
- Malicious Code Propagation and Antivirus Software Updates
Further information about these topics can be found in the summary itself.

A remote heap buffer overflow vulnerability has been reported in the Exim server. Carefully constructed EHLO/HELO messages can cause a buffer overflow.
In stunnel there exists a race in the code that handles the SIGCHLD signal and a file descriptor leak vulnerability that allows a local attacker to hijack the stunnel server.
Patches are available now.

Sun has released patches for serveral already known vulnerabilities in fileutils, lynx, and pam_xauth.

If a long password is supplied to the libpam-smb PAM authentication module, this can cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the process which invokes PAM services. Patches are available now.

A buffer overflow could be exploited by a remote attacker to execute arbitrary code with the privileges of the user running the mah-jong server. In addition there is the possibility to cause the mah-jong server to enter a tight loop and stop responding to commands. Fixed packages are available now.

- For the already known vulnerability in 'wu-ftpd', new versions are now also available for Tru64.
Following are only HP-UX related:
- For the already known vulnerabilities in Apache version 2 also updates are now available.
- For the already known vulnerabilities in OpenSSL (timing based attacks and RSA private key attack) also updates are available
- A problem in the the network socket can lead to DoS of services in some cases depending on certain network traffic, patches are available now.

For the already known vulnerabilities in Apache 2 below version 2.0.47 Red Hat provides backpatched packages of version 2.0.40 (to avoid breaking binary compatibility with 3rd-party Apache 2 modules).

For the already known buffer overflow in 'exim' are now updates available.
The distributed 'wu-ftpd' calls in case of dynamically constructed archive files the local 'tar' (mostly GNU 'tar') in insecure manner, command line options can be passed, too. Fixed packages are available now.

JAVA Secure Socket Extension is also vulnerable to the already known Timing based attacks. Patches are now available.

For the already known vulnerability in 'vnc' an update is now available.

pam_ldap 162 used with pam_filter meachnis for host-based access restriction allows any user regardless of the host attribute to login.
Update is available now.

- For the already known vulnerability in 'wu-ftpd', new versions are now available.
- The B.11.11 DCE is vulnerable against attacks by e.g. Blaster worm and there are problems in special cases.
- For the BIND vulnerability, the list of affected systems was extended.

Several vulnerabilities were found, see given URLs for more.
No further comment due to Microsoft insisting on their copyright on advisories.

Red Hat has released new packages for the up2date and rhn_register clients and are required for continued access to the Red Hat Network. These packages contain the SSL certificate necessary to continue accessing the Red Hat Network.