+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| July 12th, 2002 Volume 3, Number 28a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for LPRng, squid, and bind/glibc. The
vendors include Conectiva, Mandrake, and SuSE. If you missed last week's
newsletter, or have not yet updated apache, please visit the following
URLs:
July 5th 2002:
http://www.linuxsecurity.com/articles/forums_article-5255.html
June 28th 2002:
http://www.linuxsecurity.com/articles/forums_article-5211.html
June 21st 2002:
http://www.linuxsecurity.com/articles/forums_article-3.html
- Guardian Digital Combats Proprietary Software Licensing Deadline -
Guardian Digital, Inc., the first full-service open source Internet server
security company, has announced a special incentive program designed to
provide companies with an alternative to Windows-based servers and
applications as the July 31st deadline for Microsoft's new licensing
program approaches.
Press Release:
http://www.guardiandigital.com/company/press/EnGarde-Licensing-Promotion.pdf
Save Now:
http://store.guardiandigital.com/html/eng/493-AA.shtml
FEATURE: Threat Becomes Vulnerability Becomes Exploit
The recent situation regarding the Apache Chunk Encoding Vulnerability has
caused plenty of controversy in the security industry. It initially began
with the community dislike of the release of information.
http://www.linuxsecurity.com/feature_stories/feature_story-113.html
### Developing with open standards? Demanding High Performance? ###
Catch the Oracle9i JDeveloper wave now and check out how built-in
profilers and CodeCoach make your Java code tighter and faster than ever
before. Download your FREE copy of Oracle9i JDeveloper Today.
--> http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=oracle3
Find technical and managerial positions available worldwide. Visit the
LinuxSecurity.com Career Center: http://careers.linuxsecurity.com
+---------------------------------+
| LRPng | ----------------------------//
+---------------------------------+
Matthew Caron pointed out that using the LPRng default configuration, the
lpd daemon will accept job submissions from any remote host. These
updated LPRng packages modify the job submission policy in /etc/lpd.perms
to refuse print jobs from remote hosts by default.
Mandrake Linux 8.2:
8.2/RPMS/LPRng-3.8.6-2.1mdk.i586.rpm
c22c7e66ba57a5adc12bc989e3e315d0
8.2/SRPMS/LPRng-3.8.6-2.1mdk.src.rpm
ef4539669b170549739a538c530131e9
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2188.html
+---------------------------------+
| squid | ----------------------------//
+---------------------------------+
An attacker can exploit some of these vulnerabilities to execute arbitrary
code remotely as the user running squid (which in Conectiva Linux is
"proxy" or "nobody"), cause a Denial-of-Service (DoS) in the server or
inject/get invalid data in/from the network.
Conectiva:
ftp://atualizacoes.conectiva.com.br/8/RPMS/
squid-2.4.7-1U8_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
squid-auth-2.4.7-1U8_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
squid-doc-2.4.7-1U8_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
squid-templates-2.4.7-1U8_3cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2189.html
SuSE-8.0: i386
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/
squid-2.4.STABLE6-2.i386.rpm
01f5c698e0418e6055e9ed1018493380
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/
squid-2.4.STABLE6-9.i386.patch.rpm
917c26da9c444085d045b708548eae3e
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/
squid-2.4.STABLE6-9.i386.rpm
fa4780901f96712ea22eef28bdf53700
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2191.html
+---------------------------------+
| bind/glibc | ----------------------------//
+---------------------------------+
A vulnerability has been discovered in some resolver library functions.
The affected code goes back to the resolver library shipped as part of
BIND4; code derived from it has been included in later BIND releases as
well as the GNU libc.
SuSE:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2193.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jul 15 2002 - 07:34:46 PDT