Cotygodniowe dziury...
Blues
blues w ds6.pg.gda.pl
Pon, 24 Cze 2002, 11:11:12 CEST
Zaczynamy balet od nowa :)
To mamy w nowszej wersji:
Acrobat
Vendor: Adobe Systems Incorporated
A potential vulnerability was reported in Adobe Acrobat Reader
version 4.05 for Linux systems. A user may be able to cause
another user to overwrite files.
Impact: Modification of system information
Alert: http://securitytracker.com/alerts/2002/Jun/1004606.html
To też mamy poprawione:
Irssi
Vendor: Irssi.org
A denial of service vulnerability was reported in the IRSSI
Internet Relay Chat (IRC) client software. A remote user on an IRC
channel can cause the client to crash.
Impact: Denial of service via network
Alert: http://securitytracker.com/alerts/2002/Jun/1004592.html
Temu należałoby się przyjrzeć, ale to leży tylko w cvsie. Dla
zainteresowanych :)
Tomcat
Vendor: Apache Software Foundation
KPMG reported an information disclosure vulnerability in Apache
Tomcat. A remote user can determine the full path of the Tomcat
server.
Impact: Disclosure of system information
Alert: http://securitytracker.com/alerts/2002/Jun/1004586.html
Tomcat
Vendor: Apache Software Foundation
A denial of service vulnerability was reported in the Jakarta
Tomcat server. In a shared hosting environment, one hosted user's
malicious JSP code can crash the entire JSP engine, affecting all
other hosted users on that system.
Impact: Denial of service via local system
Alert: http://securitytracker.com/alerts/2002/Jun/1004578.html
Resin
Vendor: Caucho Technology
KPMG reported several vulnerabilities in the Resin web server.
A remote user can view files on the system that are located outside
of the web root directory. A remote user can also cause the web
service and possibly the entire server to crash.
Impact: Denial of service via network
Alert: http://securitytracker.com/alerts/2002/Jun/1004552.html
Teraz BARDZO poważna rzecz. Ten overflow wydaje się, że działa, choć
raport jest o wcześniejszej wersji. Aktualnie nie ma fixa dostępnego...
Jak ktoś znajdzie/zrobi to niech się nie krępuje :)
Procmail
Vendor: Procmail.org
A heap overflow vulnerability was reported in 'procmail'. A
local user may be able to gain root privileges on the system, but
that has not been verified.
Impact: Execution of arbitrary code via local system
Alert: http://securitytracker.com/alerts/2002/Jun/1004584.html
Teraz gadzina i netscape:
Mozilla Browser
Vendor: Mozilla.org
A vulnerability was reported in the e-mail component of
Mozilla. A remote user could send a specially crafted e-mail
message that will cause the Mozilla e-mail client to fail to
download messages when downloading the message from a POP3 server.
Impact: Denial of service via network
Alert: http://securitytracker.com/alerts/2002/Jun/1004572.html
Netscape Communicator
Vendor: America Online, Inc.
A vulnerability was reported in the e-mail component of older
versions of Netscape Communicator. A remote user could send a
specially crafted e-mail message that will cause the Netscape
e-mail client to fail to download messages when downloading the
message from a POP3 server.
Impact: Denial of service via network
Alert: http://securitytracker.com/alerts/2002/Jun/1004571.html
Na to nie mamy wpływu. Fix w lipcu :)
Flash
Vendor: Macromedia
A vulnerability was reported in Macromedia's Flash (SWF)
player. A remote user can create and host malicious Flash content
that, when referred to by another web site, may be able to access
data (such as user cookies) from the target user's domain of other
web site.
Impact: Disclosure of authentication information
Alert: http://securitytracker.com/alerts/2002/Jun/1004567.html
--
---------------------------------
pozdr. Paweł Gołaszewski
---------------------------------
CPU not found - software emulation...
Więcej informacji o liście dyskusyjnej pld-devel-pl