+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | September 21st, 2001 Volume 2, Number 38a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas daveat_private benat_private This week, advisories were released for most, apache, and windowmaker. The vendors include Debian, Mandrake, and SuSE. It has been a slow week. We recommend taking time to make sure that no previous advisories have been missed. A complete listing of our Linux advisories can be found: * http://www.linuxsecurity.com/advisories/ Are you tired of rebuilding servers hit by NIMDA? EnGarde was designed from the ground up as a secure solution, starting with the principle of least privilege, and carrying it through every aspect of its implementation. * http://www.engardelinux.org Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-requestat_private with "subscribe" as the subject. Linux Advisory Watch is a comprehensive newsletter that outlinesthe security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. +---------------------------------+ | most | ----------------------------// +---------------------------------+ Pavel Machek has found a buffer overflow in the `most' pager program. The problem is part of most's tab expansion where the program would write beyond the bounds two array variables when viewing a malicious file. This could lead into other data structures being overwritten which in turn could enable most to execute arbitrary code being able to compromise the users environment. Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/most_4.9.0-2.1_i386.deb MD5 checksum: b998b05837b20e78e143be0ffdc3e44c Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1610.html +---------------------------------+ | apache | ----------------------------// +---------------------------------+ A problem exists with all Apache servers prior to version 1.3.19. The vulnerablity could allow directory indexing and path discovery on the vulnerable servers with a custom crafted request consisting of a long path name created artificially by using numerous slashes. This can cause modules to misbehave and return a listing of the directory contents by avoiding the error page. Mandrake: PLEASE SEE ADVISORY FOR UPDATE Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1611.html +---------------------------------+ | windowmaker | ----------------------------// +---------------------------------+ The window manager Window Maker was found vulnerable to a buffer overflow due to improper bounds checking when setting the window title. An attacker can remotely exploit this buffer overflow by using malicious web page titles or terminal escape sequences to set a excessively long window title. This attack can lead to remote command execution with the privileges of the user running Window Maker. i386 Intel Platform: SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/xwm1/ WindowMaker-0.64.0-82.i386.rpm MD5 Checksum: 0f5508e10089deecf34b51ab8c007bbf SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1612.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-requestat_private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 05:23:18 PDT