Re: [ISN] Start-up banks on hack-proof Linux

From: InfoSec News (isnat_private)
Date: Fri Sep 27 2002 - 00:06:31 PDT

Next message: InfoSec News: "[ISN] Distributed.net completes RC5-64 project - September 25, 2002"

Previous message: InfoSec News: "[ISN] NCS prepping 'gee-whiz' pilot"
Maybe in reply to: InfoSec News: "[ISN] Start-up banks on hack-proof Linux"
Next in thread: InfoSec News: "Re: [ISN] Start-up banks on hack-proof Linux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forarded from: Kurt Seifried <listuserat_private>

I don't mean to be rude but EnGarde is far from "secure". Duct-taping
LIDS on top of the system helps but attackers can still compromise
services, load code into memory and do naughty things. Check out the
following list of advisories for 2002 alone. Please also note that
they haven't issued advisories for the last ~2 months, leaving users
vulnerable to several major issues.


 ESA-20020114-001  January 14, 2002  'sudo' MTA invocation as root
 
 ESA-20020114-002  January 14, 2002  'pine' URL handling vulnerability
 
 ESA-20020114-003  January 14, 2002  Several LIDS vulnerabilities
 
 ESA-20020125-004  January 25, 2002  'rsync' signed integer handling
 vulnerability
      
 ESA-20020301-005  March 1, 2002 mod_ssl's session caching potential
 buffer overflow
      
 ESA-20020301-006  March 1, 2002  Several flaws in PHP's MIME parsing.
      
 ESA-20020307-007  March 7, 2002  Local vulnerability in OpenSSH's
 channel code.
      
 ESA-20020311-008  March 11, 2002  Double free() in zlib may lead to
 buffer overflow.
      
 ESA-20020423-009  April 23, 2002  webalizer contains a potentially
 exploitable buffer overflow.
      
 ESA-20020429-010  April 29, 2002  sudo heap corruption vulnerability
      
 EBA-20020515-011  May 15, 2002  Fix defaults in php.ini
      
 EBA-20020515-012  May 15, 2002  Minor parsing fixes in Daily 
 Summaries report.
      
 ESA-20020607-013  June 07, 2002  Remote buffer overflow in imap
 daemon.
      
 ESA-20020619-014  June 19, 2002  'apache' chunk handling overflow
 vulnerability
      
 ESA-20020625-015  June 25, 2002  openssh: introduce privilege
 separation into sshd
      
 ESA-20020702-016  July 02, 2002  several vulnerabilities in the
 OpenSSH daemon
      
 ESA-20020702-017  July 02, 2002  off-by-one in mod_ssl's 
 configuration directive handling
      
 ESA-20020724-018  July 24, 2002  Buffer overflow in BIND4-derived
 resolver code
      
 ESA-20020730-019  July 30, 2002  Several vulnerabilities in the
 openssl library.
      
 ESA-20020807-020  August 7, 2002  OpenSSL ASN.1 vulnerability fix
 corrections.


Kurt Seifried, kurtat_private
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Distributed.net completes RC5-64 project - September 25, 2002"
Previous message: InfoSec News: "[ISN] NCS prepping 'gee-whiz' pilot"
Maybe in reply to: InfoSec News: "[ISN] Start-up banks on hack-proof Linux"
Next in thread: InfoSec News: "Re: [ISN] Start-up banks on hack-proof Linux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 02:38:41 PDT