A malicious user may be able to send a crafted attack via SSL (Secure Sockets Layer) to the Cisco VPN 3000 series concentrators which may cause the device to reload, and/or drop user connections. The affected products are only vulnerable if they have the HTTPS service enabled and the access to the service is not limited to trusted hosts or network management workstations. Fixed software is available now.

A cross-site scripting problem was discovered in mailreader, a simple, but powerful WWW mail reader system, when displaying messages of the MIME types text/enriched or text/richtext. Fixed packages are available now.

An integer overflow flaw was found in libXpm, which is used by some applications for loading of XPM images. An attacker could create a malicious XPM file that would execute arbitrary code if opened by a victim using an application linked to the vulnerable library. Fixed packages are available now.

A buffer overflow has been discovered in mc, the midnight commander, a file browser and manager. Fixed packages are available now.

Buffer overflows were discovered in the env_opt_add() and slc_add_reply() functions of the telnet(1) command. These buffer overflows may be triggered when connecting to a malicious server, or by an active attacker in the network path between the client and server. Specially crafted TELNET command sequences may cause the execution of arbitrary code with the privileges of the user invoking telnet(1). Patches are available now.

The Linux kernel is the core component of the Linux system. Several vulnerabilities were reported in the last few weeks which are fixed by a new update.

A format string vulnerability was found in the display program which could lead to a remote attacker being to able to execute code as the user running display by providing handcrafted filenames of images. Fixed packages are avaiable now.

Several vulnerabilities were found in the Web browser Mozilla Firefox, the Mailclient Mozilla Thunderbird and the Browser Suite Mozilla. Exploiting the worst of these vulnerabilities may allow an attacker to execute arbitrary code or conduct malicious spoofing attacks. Fixed versions are available now.

A new Apple Security Update solves several security related problems. The Update gives improvements for AFP Server, Bluetooth Setup Assistant, Core Foundation, Cyrus IMAP, Cyrus SASL, Folder Permissions, Mailman, and Safari. So the installation of this update is recommended.

A new vulnerability was found in File::Path::rmtree function which can lead to create suid binaries as a normal user.

Debian already provides updates.
It can be expect that other distributions will follow soon.

The racoon IKE daemon, contained in package ipsec-tools, can be crashed from remote by sending a special crafted ISAKMP packet.
A format string problem was found in ImageMagick which can lead to execute arbitrary code as the user who opened a file with a special crafted namwas found in ImageMagick which can lead to execute arbitrary code as the user who opened a file with a special crafted name.
Several new security issues were found in kdelibs.

Fixed packages are available now.

In former distributed version 8 of Realplayer, several security issued where discovered. Because it's no longer supported by RealNetworks, Red Hat provides an update to version 10.

Three new vulnerabilites were found in MySQL database:
- two of them allow ahtuenticated users to execute arbitrary code with the privileges of the user running the database server
- the third one allow any local user to overwrite arbitrary files with the privileges of the database server

Mandrake already provides updates for their Linux versions 10.0, 10.1, CS2.1, CS3.0.
It can be expect that other distributions will follow soon.

A cross-site scripting (XSS) flaw in the driver script of mailman prior to version 2.1.5 could allow remote attackers to execute scripts as other web users.
A bug was found in the way libexif parses EXIF tags. An attacker could create a carefully crafted EXIF image file which could cause image viewers linked against libexif to crash.
Fixed packages are available now.

Two vulnerabilities were found in xloadimage and xli. A flaw was reported in the handling of compressed images, where shell meta-characters are not adequately escaped. Insufficient validation of image properties have been discovered which could potentially result in buffer management errors. Fixed packages are available now.

A vulnerability in Java Web Start may allow an untrusted application the ability to elevate its privileges. As a result, an application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the Java Web Start application. As a workaround, Java Web Start might be disabled. An update to version J2SE 5.0 Update 2 or J2SE 1.4.2_07 is available, also.

Sylpheed is a GTK+ based fast E-Mail client. A buffer overflow bug has been found in the way Sylpheed handles non-ASCII characters in the header of a message to which a victim replies. So a carefully crafted E-Mail message could potentially allow an attacker to execute arbitrary code on a victim's machine if they reply to such a message. A fixed package solves this problem.

The McAfee AntiVirus Library is widely relied upon to provide antivirus capabilities to desktop, server, and gateway systems. By crafting an LHA file, an attacker is able to trigger a stack overflow within the process importing the McAfee AntiVirus Library. Affected are McAfee AntiVirus Library versions prior to 4400.

A buffer overflow in newgrp(1) may allow a local unprivileged user the ability to gain root privileges. A patch is available now.

It was discovered that certain types of messages could be used to crash the Evolution mail client. Fixed packages are available now.

A vulnerability in dcopserver was discovered. A local user can lock up the dcopserver of other users on the same machine by stalling the DCOP authentication process, causing a local Denial of Service.
The IDN (International Domain Names) support in Konqueror is vulnerable to a phishing technique known as a Homograph attack. This attack is made possible due to IDN allowing a website to use a wide range of international characters that have a strong resemblance to other characters.
It was found that the dcopidlng script was vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files of a user when the script is run on behalf of that user.
Patches are available now.

A bug was found in the way Squid handles fully qualified domain name (FQDN) lookups. A malicious DNS server could crash Squid by sending a carefully crafted DNS response to an FQDN lookup.
Postfix is a Mail Transport Agent (MTA). A flaw was found in the ipv6 patch used with Postfix. When the file /proc/net/if_inet6 is not available and permit_mx_backup is enabled in smtpd_recipient_restrictions, this flaw could allow remote attackers to bypass e-mail restrictions and perform mail relaying by sending mail to an IPv6 hostname.
The tetex packages (teTeX) contain an implementation of TeX for Linux or UNIX systems. teTeX uses code from xdpf, which includes two buffer overflows.
Fixed packages are available now.

Koffice uses an embedded version of xpdf. Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform.
Gnupg is vulnerable to a timing-attack in order to gain plain text from cipher text. The timing difference appears as a side effect of the so-called "quick scan" and is only exploitable on systems that accept an arbitrary amount of cipher text for automatic decryption.
Fixed packages are available now.

Various buffer overflows and out of bounds memory access were found in openslp which can be triggered by remote attackers by sending malformed SLP packets. Fixed packages are available now.

Buffer overflows were found in the Ethereal dissectors for Etheric, GPRS-LLC, 3GPP2 A11, IAPP, JXTA, and sFlow. It's strongly recommended to upgrade to version 0.10.10.

A buffer overflow was discovered in luxman, an SVGA based PacMan clone, that could lead to the execution of arbitrary commands as root. Fixed packages are available now.

Anti-Virus-Scanner-Software, either local or as gateway scanner (SMTP or HTTP) decompresses archives to check their contents also.
Good decompression routines are smart enough to decompress files regardless the filename contain strange characters like escape sequences or not.
Also good AV software takes care about such escape sequences in case the decompressed filename would be logged.
Unfortunately, this is not always the case in current available software.
In our TXT-only available advisory more information about some affected products is available. Also, we provide some samples for testing this issue.

Ipswitch Collaboration Suite (ICS) is a comprehensive communication and collaboration solution for Microsoft Windows. Exploitation of a remote buffer overflow within the IMAP daemon of ICS allows attackers to execute arbitrary code with administrator privileges. This vulnerability is reasoned by the EXAMINE handler function. It selects a mailbox so messages may be accessed. If an overly long name with more than 259 bytes is used, EXAMINE will overwrite the saved stack from pointer, resulting in potential process execution control.
The EXAMINE IMAP command is only valid after authentication has occurred. This vulnerability is fixed in IMail Server 8.15 Hotfix 1, which should be installed.

Gaim versions prior to version 1.1.4 suffer from a few security issues such as the HTML parser not sufficiently validating its input. This allowed a remote attacker to crash the Gaim client be sending certain malformed HTML messages. As well, insufficient input validation was also discovered in the "Oscar" protocol handler, used for ICQ and AIM. By sending specially crafted packets, remote users could trigger an inifinite loop in Gaim causing it to become unresponsive and hang.
Gaim 1.1.4 is provided and fixes these issues.

There is a security vulnerability on HP Tru64 UNIX systems message queue where a local unpriviledged user may cause a Denial-of-Service (DoS). The vulnerability may impact processes such as nfsstat, pfstat, arp, ogated, rarpd, route, sendmail, srconfig, strsetup, trpt, netstat, and xntpd. Early Release Patch (ERP) kits are available now.

A vulnerability was found in the kppp program from the kdenetwork package. By opening a sufficiently large number of file descriptors before executing kppp which is installed setuid root a local attacker is able to take over privileged file descriptors. Fixed packages are available now.

The AnswerBook2 Search function dynamically generated web pages may allow the execution of scripts or present malicious HTML to a user. A patch is available now.

Several buffer overflows were found in the command line handling of abuse, which could lead to the execution of arbitrary code with elevated privileges since it is installed setuid root. In addition abuse creates some files without dropping privileges first, which may lead to the creation and overwriting of arbitrary files. Fixed packages are available now.

A bug was found in the Mozilla string handling functions. If a malicious website is able to exhaust a system's memory, it becomes possible to execute arbitrary code. Fixed packages are available now.

Gaim versions prior to version 1.1.4 suffer from a few security issues such as the HTML parser not sufficiently validating its input. This allowed a remote attacker to crash the Gaim client be sending certain malformed HTML messages. As well, insufficient input validation was also discovered in the "Oscar" protocol handler, used for ICQ and AIM. By sending specially crafted packets, remote users could trigger an inifinite loop in Gaim causing it to become unresponsive and hang.
Gaim 1.1.4 is provided and fixes these issues.

SGI has released Security Updates #27, #28, and #29 for SGI Advanced Linux Environment 3. These updates fix security related problems in Python, PostgreSQL, Squid, kdelibs, kdebase, mod_python, emacs, xemacs, Squirrelmail, mailman, cpio, vim, cups, and imap. It's recommended to install these updates.

The xpdf package is an X Window System-based viewer for Portable Document Format (PDF) files. As reported before, xpdf shows some vulnerabilities. An updated xpdf package that correctly fixes several integer overflows is now available.

Cyrus-sasl is a library providing authentication services. A buffer overflow in the digestmda5 code could lead to a remote attacker executing code in the context of the service using sasl authentication. An updated package is available now.

RealNetworks provides Software like e.g. RealPlayer, RealOne Player, or Helix Player. The RealPlayer Synchronized Multimedia Integration Language (SMIL) file processor is vulnerable to a buffer overflow. Another buffer overflow has been found in the way RealPlayer decodes WAV sound files. An attacker could create a specially crafted SMIL file or WAV file that would execute arbitrary code when opened by a user. Updates address these vulnerabilities.

The Licensing software allows for the remote management and tracking of software licenses. CA License package version between v1.53 and v1.61.8 show buffer overflow conditions which can potentially allow arbitrary code to be executed remotely with local SYSTEM privileges. CA strongly recommends the application of the appropriate CA License patch.

A potential security vulnerability has been identified with HP OpenVMS VAX version 7.x and 6.x and OpenVMS Alpha Version 7.x or 6.x that may allow a local authorized user to gain unauthorized privileged access to data and system resources. An update solves this problem.

The asn_parse_header function (asn1.c) in the SNMP module for Squid Web Proxy Cache before 2.4.STABLE7 allows remote attackers to cause a Denial-of-Service (server restart) via certain SNMP packets with negative length fields that causes a memory allocation error. Additionally, the "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") character, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. SCO has fixed these binaries now.

KPPP is a dialer and front end for pppd. It allows for interactive script generation and network setup. Local exploitation of a privileged file descriptor leak in KPPP can allow attackers to hijack a system's domain name resolution function. The vulnerability specifically exists due to kppp's failure to properly close privileged file descriptors. Typically, KPPP is installed setuid root and uses privilege separation to allow only certain functions of the PPP dialer to execute with elevated privileges. Communication between the privileged portion and non-privileged portion of kppp is done over a domain socket which does not properly get closed. As a workaround, temporarily remove the setuid bit from KPPP and manually gain root privileges before executing KPPP. A patch for KDE 3.1 is available now.

Symantec has responded to a potential vulnerability identified in the SMTP binding function of the entry-level Symantec Gateway Security appliances with the ISP load-balancing capabilities. In certain firmware versions, the SMTP (outbound E-Mail) traffic would be load-balanced regardless of the user-configured WAN binding selection. This could result in SMTP traffic intended only for a trusted network potentially being passed over an untrusted connection instead. New firmware releases are available now.

Seventeen vulnerabilities were found in the Web browser Mozilla Firefox. Exploiting the worst of these vulnerabilities may allow an attacker to execute arbitrary code or conduct malicious spoofing attacks. Firefox 1.0.1 fixes these problems.

A logical error was found in the challenge response authentication mechanism CRAM-MD5 used by the University of Washington imap daemon. Due to this mistake a remote attacker can gain access to the IMAP server as arbitrary user. Fixed packages are avaiable now.