Cotygodniowe dziury

Blues blues w ds6.pg.gda.pl
Pon, 1 Lip 2002, 11:15:44 CEST 

Wygląda na to, że nadążamy w pogoni za łataniem dziur :)

Poprawione:

20. Mod_ssl

    Vendor: Modssl.org

    A vulnerability was reported in mod_ssl.  A local user that can
    create '.htaccess' files may be able to cause mod_ssl to crash or
    execute arbitrary code on the system with the privileges of the web
    server.

    Impact: Denial of service via local system

    Alert: http://securitytracker.com/alerts/2002/Jun/1004636.html

22. Sendmail

    Vendor: Sendmail Consortium

    A buffer overflow was reported in Sendmail.  A remote user with
    control of a DNS server may be able to trigger the overflow if the
    server is configured in a specific manner.

    Impact: Execution of arbitrary code via network

    Alert: http://securitytracker.com/alerts/2002/Jun/1004633.html


34. OpenSSH

    Vendor: OpenSSH.org

    A vulnerability was reported in the OpenSSH implementation of
    the Secure Shell SSH protocol.  A remote user may be able to obtain
    root access on the system.  No further details have been released.

    Impact: Execution of arbitrary code via network

    Alert: http://securitytracker.com/alerts/2002/Jun/1004616.html


**************
To jest BARDZO niepokojące... Pilnie temu się należy przyjrzeć. Bind jest 
na pewno do upgrade - jak bedzie nowa wersja 9.2.2/9.3.0 - jest to podobna 
rzecz jak ta znaleziona ostatnio w sendmailu.
W advisory radza uzyc resolvera z nowego binda 8, bo w 9 jest to po prostu 
kopia.
**************

21. libc

    Vendor: FreeBSD

    A buffer overflow vulnerability was reported in 'libc'.  A
    remote user with control over a DNS server could cause arbitrary
    code to be executed on the system when the system resolves an address.

    Impact: Execution of arbitrary code via network

    Alert: http://securitytracker.com/alerts/2002/Jun/1004635.html


Kolejna rzecz w resinie:

25. Resin

    Vendor: Caucho Technology

    A vulnerability was reported in Caucho's Resin web server.  A
    remote user can determine the physical path of the web root directory.

    Impact: Disclosure of system information

    Alert: http://securitytracker.com/alerts/2002/Jun/1004630.html




-- 
---------------------------------
pozdr.  Paweł Gołaszewski        
---------------------------------
CPU not found - software emulation...

Więcej informacji o liście dyskusyjnej pld-devel-pl