dziury z 5 i 12 VIII 2002
Blues
blues w ds6.pg.gda.pl
Pią, 16 Sie 2002, 14:09:50 CEST
Trochę zaspałem, ale... co się odwlecze to nie uciecze :)
Proszę o _dokładne_ przyjrzenie się temu co tutaj jest. Myślę, żę warto :)
Oto zestawienie:
Poprawione u nas
3. libpng
Vendor: libpng.sourceforge.net
A buffer overflow vulnerability was reported in 'libpng'. A
remote user may be able to create a specially crafted Portable
Network Graphics (PNG) image file to cause an affected application
to crash.
Impact: Denial of service via local system
Alert: http://securitytracker.com/alerts/2002/Jul/1004916.html
To należy sprawdzić czy to samo jest u nas. Niby tylko na TRU, ale...
4. su
Vendor: Compaq
A buffer overflow vulnerability was reported in the TRU64
operating system in the 'su' utility. A local user can execute
arbitrary code with root privileges.
Impact: Execution of arbitrary code via local system
Alert: http://securitytracker.com/alerts/2002/Jul/1004915.html
Nie mamy suid-a na pppd, więc to nas nie dotyczy, ale trzeba mieć na
względzie i jak będzie możliwość to załatać.
7. Ppp
Vendor: [Multiple Authors/Vendors]
A vulnerability was reported in several vendors' Point-to-Point
Protocol (PPP) daemon implementations. A local user may be able to
obtain root privileges on the system.
Impact: Modification of system information
Alert: http://securitytracker.com/alerts/2002/Jul/1004903.html
Co z tym? Wersja u nas jest dziurawa! Wydana jest poprawiona wersja 1.2.1
13. mm library
Vendor: Engelschall, Ralf S.
A vulnerability was reported in the 'mm' shared memory
allocation library. A local user may be able to obtain elevated
privileges on the system.
Impact: Root access via local system
Alert: http://securitytracker.com/alerts/2002/Jul/1004888.html
mamy poprawioną wersję (BTW. wydana dzisiaj jest wersja g)
15. OpenSSL
Vendor: OpenSSL.org
Four buffer overflow conditions were reported in OpenSSL. All
four may allow a remote user to execute arbitrary code.
Impact: Denial of service via network
Alert: http://securitytracker.com/alerts/2002/Jul/1004879.html
Mozilla powoli zaczyna mieć tyle samo bugów co IE... :-/ Może przejdziemy
na betę, przynajmniej kilka rzeczy w niej jest załatane.
16. Mozilla Browser
Vendor: Mozilla.org
A vulnerability was reported in several vendors' web browser
javascript same origin policy implementations, including that of
the Mozilla browser. A remote user can write scripting code that
may be able to retrieve intranet web content from a target user's
internal network, even when the target user's internal network is
protected by a firewall.
Impact: Host/resource access via network
Alert: http://securitytracker.com/alerts/2002/Jul/1004878.html
32. Mozilla Browser
Vendor: Mozilla.org
An input validation vulnerability was reported in the Mozilla
web browser. A remote user may be able to conduct cross-site
scripting attacks in certain situations.
Impact: Disclosure of authentication information
Alert: http://securitytracker.com/alerts/2002/Aug/1004961.html
Co z tym? Coś mi świta, że dzimi poprawiał, ale... nie jestem pewien...
19. Util-linux
Vendor: Valente, Salvatore et al
A vulnerability was reported in a shared component of the
'util-linux' collection of utilities for Linux. A local user can
gain root access on the system.
Impact: Modification of system information
Alert: http://securitytracker.com/alerts/2002/Jul/1004875.html
Dziurawe, debian wypuścił pofixowaną wersję:
39. Mpack
Vendor: Carnegie Mellon University
Two vulnerabilities were reported in the 'mpack' (aka
'munpack') file decoding utility. A remote user may be able to
cause an e-mail program that uses mpack/munpack to decode
MIME-based binary files to crash or to execute arbitrary code. A
remote user may also be able to create certain files on the system.
Impact: Denial of service via network
Alert: http://securitytracker.com/alerts/2002/Aug/1004929.html
Teraz nowsze trochę:
Ten snapshot, który mamy jest, niestety, dziurawy.
1. ipppd
Vendor: isdn4linux.org
A vulnerability was reported in the 'ipppd' component of the
isdn4linux utils package. A local user can execute arbitrary
commands, possibly with root privileges.
Impact: Execution of arbitrary code via local system
Alert: http://securitytracker.com/alerts/2002/Aug/1005012.html
Nasz nestowy apache jest nowszy
2. Apache
Vendor: Apache Software Foundation
A vulnerability was reported in Apache 2.0 when running on
non-Unix/non-Linux platforms. In the default configuration, a
remote user can cause denial of service conditions and can cause
the server to "reveal sensitive data."
Impact: Denial of service via network
Alert: http://securitytracker.com/alerts/2002/Aug/1005010.html
W cvs-ie jest poprawiona wersja.
11. Flash
Vendor: Macromedia
A vulnerability was reported in the Macromedia Flash Player. A
remote user can create Flash content that can read local files on
the target user's computer.
Impact: Disclosure of system information
Alert: http://securitytracker.com/alerts/2002/Aug/1004992.html
12. Flash
Vendor: Macromedia
Macromedia reported a buffer overflow vulnerability in the
Flash player. A remote user can create malicious content to
potentially cause arbitrary code to be executed on the target
user's computer.
Impact: Execution of arbitrary code via network
Alert: http://securitytracker.com/alerts/2002/Aug/1004991.html
jak już qboosh napisał, nie dotyczy to naszej wersji
13. Tinyproxy
Vendor: Young, Steve / Kaes, Robert James
A vulnerability was reported in Tinyproxy, an HTTP proxy. A
rmeote user may be able to execute arbitrary code on the system.
Impact: Execution of arbitrary code via network
Alert: http://securitytracker.com/alerts/2002/Aug/1004988.html
A temu to należy się BARDZO UWAŻNIE przyjrzeć... są niepokojące.
17. libc
Vendor: GNU [multiple authors]
A vulnerability was reported in the GNU libc runtime library,
as well as several C, C++, and Ada compilers and runtime libraries.
The calloc() function and other similar functions contain an
integer overflow that may possibly result in a buffer overflow in a
linked application.
Impact: Execution of arbitrary code via local system
Alert: http://securitytracker.com/alerts/2002/Aug/1004982.html
18. GNU C++ Compiler (GCC)
Vendor: GNU [multiple authors]
A vulnerability was reported in the GNU C++ Compiler (gcc), as
well as several C, C++, and Ada compilers and runtime libraries.
The calloc() function and other similar functions contain an
integer overflow that may possibly result in a buffer overflow in a
compiled application.
Impact: Execution of arbitrary code via local system
Alert: http://securitytracker.com/alerts/2002/Aug/1004981.html
To nas już nie dotyczy:
20. dietlibc
Vendor: von Leitner, Felix
A vulnerability was reported in the dietlibc runtime C library,
as well as several C, C++, and Ada compilers and runtime libraries.
The calloc() function and other similar functions contain an
integer overflow that may possibly result in a buffer overflow in a
compiled or linked application.
Impact: Execution of arbitrary code via local system
Alert: http://securitytracker.com/alerts/2002/Aug/1004979.html
To też nas nie dotyczy:
22. Gaim
Vendor: Gaim.sourceforge.net
A potential buffer overflow vulnerability was reported in the
Gaim instant messaging client software. A remote user may be able
to execute arbitrary code on the client.
Impact: Execution of arbitrary code via network
Alert: http://securitytracker.com/alerts/2002/Aug/1004975.html
Dla zainteresowanych...
27. SHOUTcast
Vendor: Nullsoft
An information disclosure vulnerability was reported in
Nullsoft's SHOUTcast streaming media server. A local user can
obtain the administrative password to the application.
Impact: Disclosure of authentication information
Alert: http://securitytracker.com/alerts/2002/Aug/1004970.html
31. Opera
Vendor: Opera Software
An input validation vulnerability was reported in the Opera web
browser. A remote user may be able to conduct cross-site scripting
attacks in certain situations.
Impact: Disclosure of authentication information
Alert: http://securitytracker.com/alerts/2002/Aug/1004962.html
--
---------------------------------
pozdr. Paweł Gołaszewski
---------------------------------
CPU not found - software emulation...
Więcej informacji o liście dyskusyjnej pld-devel-pl