[security] Security Advisories

Lorenzo Iannuzzi nakis a libero.it
Gio 13 Maggio 2004 12:39:37 CEST 

http://www.sco.com/support/security/index.html

        As noted in the Xsecurity(X) man page, OpenServer 5 provides
        multiple X display access control mechanisms. 

        The least secure is the Host Access method, where any 
        client on a host in the host access control list (which 
        is managed by the xhost command) is allowed access to 
        the X server. 

        More secure access methods are provided using the X 
        authorization protocol (Xauthority). Currently, OpenServer 5 
        supports the X authorization protocol only for X sessions 
        which are started by scologin. 

        This supplement provides support for the X authorization 
        protocol for X sessions which are not started by scologin 
        (e.g., sessions which are started via startx).

        In order to prevent unauthorized access to your system, do not 
        use the xhost command to grant access to your X server.  Instead, 
        it is recommended that you use the access provided by the 
        .Xauthority file.  

        With this supplement applied, scologin, startx, and xinit can all 
        be used to start the X server using the MIT-MAGIC-COOKIE-1 access       
        control system as described in the Xsecurity(X) man page.  
        If the X server is started directly (by running X or Xsco), 
        Xauthority-style access control will not be enabled.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0390 to this issue. 

http://www.mandrakesecure.net/en/advisories/

 Rsync before 2.6.1 does not properly sanitize paths when running a 
 read/write daemon without using chroot, allows remote attackers to write 
 files outside of the module's path.

 A memory leak in mod_ssl in the Apache HTTP Server prior to version           
 2.0.49 allows a remote denial of service attack against an SSL-enabled
 server. 

http://security.gentoo.org/glsa/glsa-200405-03.xml

With a specific configuration (using %f in the VirusEvent parameter),
Clam AntiVirus is vulnerable to an attack allowing execution of
arbitrary commands.

http://security.gentoo.org/glsa/glsa-200405-04.xml

Several format string vulnerabilities are present in the Neon library
included in OpenOffice.org, allowing remote execution of arbitrary
code when connected to an untrusted WebDAV server.

http://lwn.net/Articles/84884/

OpenPKG has updated apache with fixes for a few problems from the apache
1.3.31 release. 

Red Hat has sent out a kernel update fixing a number of relatively small
problems and adding the lightweight auditing framework. Also from Red
Hat is this update to ipsec-tools fixing several problems.
-- 

Ciao e alla prossima!
Lorenzo

Maggiori informazioni sulla lista security