Jump to content

aru

Members
 View Profile  See their activity

  • Posts

    2022

  • Joined

  • Last visited

 Content Type 

Everything posted by aru

  1. aru
    Mandriva Security Advisories MDKSA-2005:192 : xli Updated xli packages fix buffer overflow vulnerabilities. October 20th, 2005 Ariel Berkman discovered several buffer overflows in xloadimage,which are also present in xli, a command line utility for viewingimages in X11, and could be exploited via large image titles andcause the execution of arbitrary code. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: CS2.1 CS3.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:192 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3178 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  2. aru
    Mandriva Security Advisories MDKSA-2005:191 : ruby Updated ruby packages fix safe level and taint flag protections vulnerability October 20th, 2005 Yutaka Oiwa discovered a bug in Ruby, the interpreter for the object-orientedscripting language, that can cause illegal program code to bypass the safelevel and taint flag protections check and be executed. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS2.1 CS3.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:191 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2337 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  3. aru
    Mandriva Security Advisories MDKSA-2005:190 : nss_ldap Updated nss_ldap/pam_ldap packages fix privilege vulnerabilities. October 20th, 2005 A bug was found in the way the pam_ldap module processed certain failure messages. If the server includes supplemental data in an authentication failure result message, but the data does not include any specific error code, the pam_ldap module would proceed as if the authentication request had succeeded, and authentication would succeed. This affects versions 169 through 179 of pam_ldap. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:190 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2641 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  4. aru
    Mandriva Security Advisories MDKSA-2005:189 : imap Updated imap packages fix buffer overflow vulnerabilities. October 20th, 2005 "infamous41md" discovered a buffer overflow in uw-imap, theUniversity of Washington's IMAP Server that allows attackers toexecute arbitrary code. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS2.1 CS3.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:189 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2933 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  5. aru
    Mandriva Security Advisories MDKSA-2005:188 : graphviz Updated graphviz packages fix temporary file vulnerability. October 20th, 2005 Javier Fernández-Sanguino Peña discovered insecure temporary filecreation in graphviz, a rich set of graph drawing tools, that can beexploited to overwrite arbitrary files by a local attacker. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:188 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2965 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  6. aru
    Mandriva Security Advisories MDKSA-2005:186 : lynx Updated lynx packages fix remote buffer overflow October 17th, 2005 Ulf Harnhammar discovered a remote buffer overflow in lynx versions 2.8.2 through 2.8.5. When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis() with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian character sets. However, it does not check if it writes outside of the char array buf, and that causes a remote stack-based buffer overflow, with full control over EIP, EBX, EBP, ESI and EDI. Two attack vectors to make a victim visit a URL to a dangerous news server are: (a) *redirecting scripts*, where the victim visits some web page and it redirects automatically to a malicious URL, and (b) *links in web pages*, where the victim visits some web page and selects a link on the page to a malicious URL. Attack vector (b) is helped by the fact that Lynx does not automatically display where links lead to, unlike many graphical web browsers. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS2.1 CS3.0 MNF2.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:186 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3120 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  7. aru
    Mandriva Security Advisories MDKSA-2005:185 : koffice Updated koffice packages fix KWord RTF import overflow vulnerability October 14th, 2005 Chris Evans reported a heap based buffer overflow in the RTF importerof KWord. An attacker could provide a specially crafted RTF file, which when opened in KWord can cause execution of abitrary code. The updated packages are patched to deal with these issues. The released versions of Mandriva GNU/Linux affected are: 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:185 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2971 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  8. aru
    Mandriva Security Advisories MDKSA-2005:184 : cfengine Updated cfengine packages fix temporary file vulnerabilities October 13th, 2005 Javier Fernández-Sanguino Peña discovered several insecure temporary file uses in cfengine <= 1.6.5 and<= 2.1.16 which allows local users to overwrite arbitrary files via a symlink attack on temporary files used by vicf.in. (CAN-2005-2960) In addition, Javier discovered the cfmailfilter and cfcron.in files for cfengine <= 1.6.5 allow local users to overwrite arbitrary files via a symlink attack on temporary files (CAN-2005-3137) The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS2.1 CS3.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:184 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3137 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  9. aru
    Mandriva Security Advisories MDKSA-2005:183 : wget Updated wget packages fix NTLM authentication vulnerability October 13th, 2005 A vulnerability in libcurl's NTLM function can overflow a stack-based buffer if given too long a user name or domain name in NTLM authentication is enabled and either a) pass a user and domain name to libcurl that together are longer than 192 bytes or b) allow (lib)curl to follow HTTP redirects and the new URL contains a URL with a user and domain name that together are longer than 192 bytes. Wget, as of version 1.10, uses the NTLM code from libcurl and is also vulnerable to this issue. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:183 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3185 http://curl.haxx.se/mail/lib-2005-10/0061.html Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  10. aru
    Mandriva Security Advisories MDKSA-2005:182 : curl Updated curl packages fix NTLM authentication vulnerability October 13th, 2005 A vulnerability in libcurl's NTLM function can overflow a stack-based buffer if given too long a user name or domain name in NTLM authentication is enabled and either a) pass a user and domain name to libcurl that together are longer than 192 bytes or b) allow (lib)curl to follow HTTP redirects and the new URL contains a URL with a user and domain name that together are longer than 192 bytes. The updated packages have been patched to address this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 MNF2.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:182 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3185 http://curl.haxx.se/mail/lib-2005-10/0061.html Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  11. aru
    Mandriva Security Advisories MDKSA-2005:181 : squid Updated squid packages fix vulnerabilities October 11th, 2005 Squid 2.5.9, while performing NTLM authentication, does not properly handle certain request sequences, which allows attackers to cause a denial of service (daemon restart). The updated packages have been patched to address these issues. The released versions of Mandriva GNU/Linux affected are: 10.1 CS2.1 CS3.0 MNF2.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:181 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2917 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  12. aru
    Mandriva Security Advisories MDKSA-2005:180 : xine-lib Updated xine-lib packages fixes cddb vulnerability October 11th, 2005 When playing an Audio CD, a xine-lib based media application contacts a CDDB server to retrieve metadata like the title and artist's name.During processing of this data, a response from the server, which islocated in memory on the stack, is passed to the fprintf() functionas a format string. An attacker can set up a malicious CDDB serverand trick the client into using this server instead of the pre- configured one. Alternatively, any user and therefore the attacker can modify entries in the official CDDB server. Using this format string vulnerability, attacker-chosen data can be written to an attacker-chosen memory location.This allows the attacker to alter the control flow and to execute malicious code with the permissions of the user running the application. This problem was reported by Ulf Harnhammar from the Debian SecurityAudit Project. The updated packages have been patched to correct this problem. The released versions of Mandriva GNU/Linux affected are: 10.1 CS3.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:180 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2967 http://xinehq.de/index.php/security/XSA-2005-1 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  13. aru
    Mandriva Security Advisories MDKSA-2005:179 : openssl Updated openssl packages fix vulnerabilities October 11th, 2005 Yutaka Oiwa discovered vulnerability potentially affects applicationsthat use the SSL/TLS server implementation provided by OpenSSL. Such applications are affected if they use the optionSSL_OP_MSIE_SSLV2_RSA_PADDING.This option is implied by use of SSL_OP_ALL, which is intended to work around various bugs in third- party software that might prevent interoperability.The SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in the SSL 2.0 server supposed to prevent active protocol-version rollback attacks.With this verification step disabled, an attacker acting as a "man in the middle" can force a client and a server to negotiate the SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only. (CAN-2005-2969) The current default algorithm for creating "message digests" (electronic signatures) for certificates created by openssl is MD5. However, this algorithm is not deemed secure any more, and some practical attacks have been demonstrated which could allow an attacker to forge certificates with a valid certification authority signature even if he does not know the secret CA signing key. To address this issue, openssl has been changed to use SHA-1 by default. This is a more appropriate default algorithm for the majority of use cases.If you still want to use MD5 as default, you can revert this change by changing the two instances of "default_md = sha1" to "default_md = md5" in /usr/{lib,lib64}/ssl/openssl.cnf. (CAN-2005-2946) The released versions of Mandriva GNU/Linux affected are: 10.1 CS2.1 CS3.0 MNF2.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:179 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2946 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  14. aru
    Mandriva Security Advisories MDKSA-2005:178 : squirrelmail Updated squirrelmail packages fixes XSS vulberability October 11th, 2005 A cross-site scripting (XSS) vulnerability in add.php in Address Add Plugin 1.9 and 2.0 for Squirrelmail allows remote attackers to inject arbitrary web script or HTML via the IMG tag. The updated packages have an updated Address Add plugin to correct this problem. The released versions of Mandriva GNU/Linux affected are: CS3.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:178 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3128 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  15. aru
    Mandriva Security Advisories MDKA-2005:046 : drakxtools Updated drakxtools/HPLIP are available October 11th, 2005 A new version of the HPLIP driver suite is now available.This new version introduces support for parallel printers and multi-function devices; now USB, parallel, and network (TCP/Socket) devices are now fully supported, as well as the devices that the former HPOJ suite handled.The new HPLIP suite is now available for Mandrivalinux 2006. As a result, a new printerdrake is also available that installs HPLIP rather than HPOJ on all parallel HP printers and multi-function devices.Other fixes related to HPLIP are also included in the new printerdrake. The released versions of Mandriva GNU/Linux affected are: 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKA-2005:046 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  16. aru
    Mandriva Security Advisories MDKA-2005:045 : ghostscript Updated ghostrscript packages fix various bugs October 11th, 2005 New ghostscript packages are now available that provide ghostscript 8.15.1 final and provide a number of bug fixes, including: A fix for vertical japanese text. A memory overflow in the "lips4" driver was fixed. A double-free in gsdevice.c was fixed. A SEGV in the "inferno" driver was fixed; this was because the struct "inferno_device" was not created but it was accessed to its elements. The shared X11 driver was not built with the correct linker command (CCLD instead of CC_SHARED). The "opvp" driver incorrectly assumed that CODESET was supported on all platforms that supported iconv. Support in the "cups" driver for CUPS_CSPACE_RGBW colorspace was added. Other fixes are also included in these new packages. The released versions of Mandriva GNU/Linux affected are: 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKA-2005:045 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  17. aru
    Mandriva Security Advisories MDKA-2005:044 : postgresql Updated postgresql packages fix various bugs October 11th, 2005 A number of bugs are corrected in PostgreSQL version 8.0.4 so an update for Mandrivalinux 2006 is now available (PostgreSQL 8.0.3 was provided). Fixes include various memory leakage fixes, improved checking for partially-written WAL pages, a fix for an error that allowed "VACUUM" to remove ctid chains too soon, and other fixes. A dump/reload of the databases are not required when upgrading from the provided 8.0.3 version, but may be required if upgrading from an ealier version (ie. upgrading from Mandrivalinux LE2005). The released versions of Mandriva GNU/Linux affected are: 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKA-2005:044 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  18. aru
    Mandriva Security Advisories MDKA-2005:043 : shorewall Updated shorewall packages fix rule changing bug October 11th, 2005 A bug in the way chkconfig handled shorewall upgrades resulted in a problem with activating/deactivating shorewall rules via the administrative web interface; shorewall would no longer restart after modifications were made. The updated packages are updated to fix this problem.Once the updated package has been installed, issue the following commands at a command prompt: The released versions of Mandriva GNU/Linux affected are: MNF2.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKA-2005:043 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  19. aru
    Mandriva Security Advisories MDKA-2005:042 : mozilla-thunderbird-nb Updated mozilla-thunderbird-nb packages fix packaging bug October 11th, 2005 Due to a packaging bug, the mozilla-thunderbird-nb package could not be installed.This update corrects the bug allowing the package to be installed. The released versions of Mandriva GNU/Linux affected are: 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKA-2005:042 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  20. aru
    Mandriva Security Advisories MDKSA-2005:177 : hylafax Updated hylafax packages fix temporary file vulnerability October 7th, 2005 faxcron, recvstats, and xferfaxstats in HylaFax 4.2.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. (CAN-2005-3069) In addition, HylaFax has some provisional support for Unix domain sockets, which is disabled in the default compile configuration. It is suspected that a local user could create a fake /tmp/hyla.unix socket and intercept fax traffic via this socket. In testing for this vulnerability, withCONFIG_UNIXTRANSPORT disabled, it has been found that client programscorrectly exit before sending any data. (CAN-2005-3070) The updated packages have been patched to correct these issues. The released versions of Mandriva GNU/Linux affected are: 10.1 CS2.1 CS3.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:177 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3070 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  21. aru
    Mandriva Security Advisories MDKSA-2005:176 : webmin Updated webmin package fixes authentication bypass vulnerability October 7th, 2005 Miniserv.pl in Webmin 1.220, when "full PAM conversations" is enabled, allows remote attackers to bypass authentication by spoofing session IDs via certain metacharacters (line feed or carriage return). The updated packages have been patched to correct this issues. The released versions of Mandriva GNU/Linux affected are: 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:176 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3042 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  22. aru
    Mandriva Security Advisories MDKSA-2005:175 : texinfo Updated texinfo packages fix temporary file vulnerability October 6th, 2005 Frank Lichtenheld has discovered that texindex insecurely creates temporary files with predictable filenames. This is exploitable if a local attacker were to create symbolic links in the temporary files directory, pointing to a valid file on the filesystem. When texindex is executed, the file would be overwitten with the rights of the user running texindex. The updated packages have been patched to correct this issue. The released versions of Mandriva GNU/Linux affected are: 10.1 CS2.1 CS3.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:175 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3011 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  23. aru
    Mandriva Security Advisories MDKSA-2005:174 : mozilla-thunderbird Updated mozilla-thunderbird packages fix multiple vulnerabilities October 6th, 2005 Updated Mozilla Thunderbird packages fix various vulnerabilities: The run-mozilla.sh script, with debugging enabled, would allow local users to create or overwrite arbitrary files via a symlink attack on temporary files (CAN-2005-2353). A bug in the way Thunderbird processes XBM images could be used to execute arbitrary code via a specially crafted XBM image file (CAN-2005-2701). A bug in the way Thunderbird handles certain Unicode sequences could be used to execute arbitrary code via viewing a specially crafted Unicode sequence (CAN-2005-2702). A bug in the way Thunderbird makes XMLHttp requests could be abused by a malicious web page to exploit other proxy or server flaws from the victim's machine; however, the default behaviour of the browser is to disallow this (CAN-2005-2703). A bug in the way Thunderbird implemented its XBL interface could be abused by a malicious web page to create an XBL binding in such a way as to allow arbitrary JavaScript execution with chrome permissions (CAN-2005-2704). An integer overflow in Thunderbird's JavaScript engine could be manipulated in certain conditions to allow a malicious web page to execute arbitrary code (CAN-2005-2705). A bug in the way Thunderbird displays about: pages could be used to execute JavaScript with chrome privileges (CAN-2005-2706). A bug in the way Thunderbird opens new windows could be used by a malicious web page to construct a new window without any user interface elements (such as address bar and status bar) that could be used to potentially mislead the user (CAN-2005-2707). A bug in the way Thunderbird proceesed URLs on the command line could be used to execute arbitary commands as the user running Thunderbird; this could be abused by clicking on a supplied link, such as from an instant messaging client (CAN-2005-2968). Tom Ferris reported that Thunderbird would crash when processing a domain name consisting solely of soft-hyphen characters due to a heap overflow when IDN processing results in an empty string after removing non-wrapping chracters, such as soft-hyphens.This could be exploited to run or or install malware on the user's computer (CAN-2005-2871). The updated packages have been patched to correct these issues. The released versions of Mandriva GNU/Linux affected are: 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:174 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2701 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2702 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2703 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2704 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2705 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2706 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2707 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2968 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2871 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2353 http://www.mozilla.org/security/announce/mfsa2005-59.html http://www.mozilla.org/security/announce/mfsa2005-58.html http://www.mozilla.org/security/announce/mfsa2005-57.html Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  24. aru
    Mandriva Security Advisories MDKSA-2005:173 : mozilla-firefox Updated mozilla-firefox packages fix vulnerabilities October 6th, 2005 New updates are available for Mozilla Firefox: A regression in the LE2005 Firefox package caused problems with cursor movement that has been fixed. The run-mozilla.sh script, with debugging enabled, would allow local users to create or overwrite arbitrary files via a symlink attack on temporary files (CAN-2005-2353). nsScriptSecurityManager::GetBaseURIScheme didn't handle jar:view-source:... correctly because the jar: and view-source: cases didn't use recursion as they were supposed to.This was corrected in Firefox 1.0.4 and only affects the LE2005 package. The updated packages have been patched to correct these issues. The released versions of Mandriva GNU/Linux affected are: 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:173 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2353 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
  25. aru
    Mandriva Security Advisories MDKSA-2005:172 : openssh Updated openssh packages fix GSSAPI credentials vulnerability October 6th, 2005 Sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled,allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposedto untrusted users or hosts. GSSAPI is only enabled in versions of openssh shipped in LE2005 and greater. The updated packages have been patched to correct this issue. The released versions of Mandriva GNU/Linux affected are: 10.2 Full information about this advisory, including the updated packages, is available at: www.mandriva.com/security/advisories?name=MDKSA-2005:172 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2798 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.14 2005/05/15 18:06:11 aru Exp aru $)
×
×
  • Create New...