[security] security advisories

Lorenzo Iannuzzi nakis a libero.it
Sab 24 Apr 2004 12:57:35 CEST


Mandrake fixes a vulnerability in the Socks-5 proxy code in xchat and
two utempter vulnerabilities. 

Debian fixes an exploitable buffer overflow in ident2.

Red Hat fixes a symlink overflow in the iso9660 filesytem in the
athlon/x86 kernel, multiple vulnerabilities in the IA64 kernel and a DoS
vulnerability in XFree86. (All apply to RHEL 2.1) This kernel advisory
is for RHEL 3.

Trustix fixes a root exploit in Linux kernel multicast code.

Fedora fixes several vulnerabilities in the 2.4.22 kernel.


Upgraded to xine-lib-1-rc3c.
  This release fixes a security problem where opening a malicious MRL
could write to system (or other) files.


Upgraded to xine-ui-0.99.1,
  which fixes a similar MRL security issue.


There are two distinct denial of service vulnerabilities addressed by this

        1. Null-pointer assignment during SSL handshake

        A carefully crafted SSL/TLS handshake against a server which
        uses the OpenSSL library may result in a crash.  Depending on how
        the application uses the OpenSSL library, this may result in a
        denial of service.

        2. Out-of-bounds read affects Kerberos ciphersuites

        A second flaw in the SSL/TLS handshake could cause a server
        configured to use the Kerberos ciphersuites to crash if a carefully
        crafted sequence of packets is sent by an attacker.


The longstanding TCP protocol specification has several weaknesses.

- fabricated RST packets from a malicious third party can tear down a
TCP session
- fabricated SYN packets from a malicious third party can tear down a
TCP session
- a malicious third party can inject data to TCP session without much

NetBSD also had an additional implementation flaw, which made these
attacks easier.


SGI has released SGI Advanced Linux Environment security update #18,
which includes updated RPMs for SGI ProPack v2.3 and SGI ProPack v2.4
for the SGI Altix family of systems, in response to the following
security issues:

Updated cadaver package fixes security vulnerability in neon

Updated mailman package closes DoS vulnerability

Updated squid package fixes security vulnerability

Updated CVS packages fix security issue

Ciao e alla prossima!

Maggiori informazioni sulla lista security