Forarded from: Kurt Seifried <listuserat_private> I don't mean to be rude but EnGarde is far from "secure". Duct-taping LIDS on top of the system helps but attackers can still compromise services, load code into memory and do naughty things. Check out the following list of advisories for 2002 alone. Please also note that they haven't issued advisories for the last ~2 months, leaving users vulnerable to several major issues. ESA-20020114-001 January 14, 2002 'sudo' MTA invocation as root ESA-20020114-002 January 14, 2002 'pine' URL handling vulnerability ESA-20020114-003 January 14, 2002 Several LIDS vulnerabilities ESA-20020125-004 January 25, 2002 'rsync' signed integer handling vulnerability ESA-20020301-005 March 1, 2002 mod_ssl's session caching potential buffer overflow ESA-20020301-006 March 1, 2002 Several flaws in PHP's MIME parsing. ESA-20020307-007 March 7, 2002 Local vulnerability in OpenSSH's channel code. ESA-20020311-008 March 11, 2002 Double free() in zlib may lead to buffer overflow. ESA-20020423-009 April 23, 2002 webalizer contains a potentially exploitable buffer overflow. ESA-20020429-010 April 29, 2002 sudo heap corruption vulnerability EBA-20020515-011 May 15, 2002 Fix defaults in php.ini EBA-20020515-012 May 15, 2002 Minor parsing fixes in Daily Summaries report. ESA-20020607-013 June 07, 2002 Remote buffer overflow in imap daemon. ESA-20020619-014 June 19, 2002 'apache' chunk handling overflow vulnerability ESA-20020625-015 June 25, 2002 openssh: introduce privilege separation into sshd ESA-20020702-016 July 02, 2002 several vulnerabilities in the OpenSSH daemon ESA-20020702-017 July 02, 2002 off-by-one in mod_ssl's configuration directive handling ESA-20020724-018 July 24, 2002 Buffer overflow in BIND4-derived resolver code ESA-20020730-019 July 30, 2002 Several vulnerabilities in the openssl library. ESA-20020807-020 August 7, 2002 OpenSSL ASN.1 vulnerability fix corrections. Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 02:38:41 PDT