February 18, 2005

Linux Advisory Watch - February 18, 2005

Author: Preston St. Pierre

This week, advisories were released for libXpm, evolution, mailman, hztty,
xpcd, sympa, netkit-rwho, toolchain, htdig, synaestheia, awstats, typespeed,
emacs, gftp, python, openoffice, kernel, kdeedu, gallery, webmin, perl-squid,
ht/dig, opera, vmware, lighttpd, kstars, midnight commander, drakextools, cpio,
enscript, mysql, rwho, kdelibs, xpdf, libtiff, vim, ethereal, thunderbird, and
squid. The vendors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Red
Hat, and SuSE.Security Policy
By Blessen Cherian

The Security Policy is a document which addresses the following areas:

  • Authentication: This section deals with what methods are
    used to determine if a user is real or not, which users can or cannot access
    the system, the minimum length of password allowed, how long can a user be
    idle before he is logged out, etc.
  • Authorization: This area deals with classifying user levels
    and what each level is allowed to do on the system, which users can become
    root, etc.
  • Data Protection: Data protection deals with the details
    like what data should be protected and who can access which levels of data
    on the system.
  • Internet Access: This area deals with the details of the
    users having access to the internet and what they can do there.
  • Internet Services: This section deals with what services
    on the server are accessible from the internet and which are not.
  • Security Audit: This area addresses how audit and review
    of security related areas and processes will be done.
  • Incident Handling: This area addresses the steps and measures
    to be taken if there is a breach of security. This also covers the steps to
    find out the actual culprit and the methods to prevent future incidents.
  • Responsibilities: This part covers who will be contacted
    at any given stage of an incident and the responsibilities of the administrator(s)
    during and after the incident. This is a very important area, since the operation
    of the incident handling mechanism is dependent on it.

    Read Entire Article:
    http://www.linuxsecurity.com/content/view/118211/49/

 

LinuxSecurity.com
Feature Extras:

Getting
to Know Linux Security: File Permissions
- Welcome to the first
tutorial in the 'Getting to Know Linux Security' series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I'll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.

The
Tao of Network Security Monitoring: Beyond Intrusion Detection

- To be honest, this was one of the best books that I've read on network security.
Others books often dive so deeply into technical discussions, they fail to
provide any relevance to network engineers/administrators working in a corporate
environment. Budgets, deadlines, and flexibility are issues that we must all
address. The Tao of Network Security Monitoring is presented in such a way
that all of these are still relevant.

Encrypting
Shell Scripts
- Do you have scripts that contain sensitive information
like passwords and you pretty much depend on file permissions to keep it secure?
If so, then that type of security is good provided you keep your system secure
and some user doesn't have a "ps -ef" loop running in an attempt to capture
that sensitive info (though some applications mask passwords in "ps" output).

 

Take advantage of our Linux Security discussion
list!
This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline
.


   Contectiva
  Conectiva: XFree86 Fixes for overflows
in libXpm
  14th, February, 2005

Updated XFree86

http://www.linuxsecurity.com/content/view/118286

 
  Conectiva: evolution Fix for Evolution
vulnerability
  16th, February, 2005

Max Vozeler discovered an integer overflow[2] in the helper
application camel-lock-helper. A local attacker can cause the helper to
execute arbitrary code only with the current user privileges privileges
via a malicious POP server becose it is not setuid root neither setgid
mail.

http://www.linuxsecurity.com/content/view/118351

 
   Debian
  Debian: New evolution packages fix arbitrary
code execution as root
  10th, February, 2005

Max Vozeler discovered an integer overflow in a helper application
inside of Evolution, a free grouware suite. A local attacker could cause
the setuid root helper to execute arbitrary code with elevated privileges.

http://www.linuxsecurity.com/content/view/118234

 
  Debian: New mailman packages fix several
vulnerabilities
  10th, February, 2005

Updated

http://www.linuxsecurity.com/content/view/118235

 
  Debian: New hztty packages fix local
utmp exploit
  10th, February, 2005

Updated package

http://www.linuxsecurity.com/content/view/118245

 
  Debian: New mailman packages really fix
several vulnerabilities
  11th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118261

 
  Debian: New xpcd packages fix arbitrary
code execution as root
  11th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118262

 
  Debian: New sympa packages fix potential
arbitrary code execution
  11th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118263

 
  Debian: New netkit-rwho packages fix
denial of service
  11th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118266

 
  Debian: New toolchain-source package
fixes insecure temporary files
  14th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118280

 
  Debian: New htdig packages fix cross-site
scripting vulnerability
  14th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118285

 
  Debian: New synaesthesia packages fix
unauthorised file access
  14th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118294

 
  Debian: New awstats packages fix arbitrary
command execution
  15th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118302

 
  Debian: New postgresql packages fix arbitrary
code execution
  15th, February, 2005

Updated package

http://www.linuxsecurity.com/content/view/118333

 
  Debian: New typespeed packages fix arbitrary
group games code execution
  16th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118345

 
  Debian: New emacs21 packages fix arbitrary
code execution
  17th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118356

 
  Debian: New gftp packages fix directory
traversal vulnerability
  17th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118362

 
   Fedora
  Fedora Core 3 Update: mailman-2.1.5-30.fc3
  10th, February, 2005

There is a critical security flaw in Mailman 2.1.5 which will
allow attackers to read arbitrary files.

http://www.linuxsecurity.com/content/view/118243

 
  Fedora Core 2 Update: mailman-2.1.5-8.fc2
  10th, February, 2005

There is a critical security flaw in Mailman 2.1.5 which will
allow attackers to read arbitrary files.

http://www.linuxsecurity.com/content/view/118244

 
  Fedora Core 2 Update: mod_python-3.1.3-1.fc2.2
  10th, February, 2005

Graham Dumpleton discovered a flaw affecting the publisher handler
of mod_python, used to make objects inside modules callable via URL.

http://www.linuxsecurity.com/content/view/118252

 
  Fedora Core 3 Update: mod_python-3.1.3-5.2
  10th, February, 2005

Graham Dumpleton discovered a flaw affecting the publisher handler
of mod_python, used to make objects inside modules callable via URL.

http://www.linuxsecurity.com/content/view/118253

 
  Fedora Core 3 Update: openoffice.org-1.1.3-5.5.0.fc3
  11th, February, 2005

Several bugs fixed.

http://www.linuxsecurity.com/content/view/118273

 
  Fedora Core 2 Update: xemacs-21.4.17-0.FC2
  15th, February, 2005

Update to 21.4.17 stable release, which also fixes the CAN-2005-0100
movemail string format vulnerability.

http://www.linuxsecurity.com/content/view/118300

 
  Fedora Core 3 Update: xemacs-21.4.17-0.FC3
  15th, February, 2005

Update to 21.4.17 stable release, which also fixes the CAN-2005-0100
movemail string format vulnerability and the AltGr issue for European
input.

http://www.linuxsecurity.com/content/view/118301

 
  Fedora Core 2 Update: kernel-2.6.10-1.14_FC2
  15th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118339

 
  Fedora Core 3 Update: kernel-2.6.10-1.766_FC3
  15th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118340

 
  Fedora Core 3 Update: kdeedu-3.3.1-2.3
  17th, February, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118361

 
   Gentoo
  Gentoo: Python Arbitrary code execution
through SimpleXMLRPCServer
  10th, February, 2005

Python-based XML-RPC servers may be vulnerable to remote execution
of arbitrary code.

http://www.linuxsecurity.com/content/view/118240

 
  Gentoo: Mailman Directory traversal vulnerability
  10th, February, 2005

Mailman fails to properly sanitize input, leading to information
disclosure.

http://www.linuxsecurity.com/content/view/118242

 
  Gentoo: Gallery Cross-site scripting
vulnerability
  10th, February, 2005

The cross-site scripting vulnerability that Gallery 1.4.4-pl5
was intended to fix, did not actually resolve the issue. The Gallery Development
Team have released version 1.4.4-pl6 to properly solve this problem.

http://www.linuxsecurity.com/content/view/118251

 
  Gentoo: Webmin Information leak in Gentoo
binary package
  11th, February, 2005

Portage-built Webmin binary packages accidentally include a
file containing the local encrypted root password.

http://www.linuxsecurity.com/content/view/118271

 
  Gentoo: Perl Vulnerabilities in perl-suid
wrapper
  11th, February, 2005

Vulnerabilities leading to file overwriting and code execution
with elevated privileges have been discovered in the perl-suid wrapper.

http://www.linuxsecurity.com/content/view/118272

 
  Gentoo: mod_python Publisher Handler
vulnerability
  13th, February, 2005

mod_python contains a vulnerability in the Publisher Handler
potentially leading to information disclosure.

http://www.linuxsecurity.com/content/view/118275

 
  Gentoo: PowerDNS Denial of Service vulnerability
  13th, February, 2005

A vulnerability in PowerDNS could lead to a temporary Denial
of Service.

http://www.linuxsecurity.com/content/view/118276

 
  Gentoo: ht//Dig: Cross-site scripting
vulnerability
  13th, February, 2005

Dig is vulnerable to cross-site scripting attacks.

http://www.linuxsecurity.com/content/view/118277

 
  Gentoo: Opera Multiple vulnerabilities
  14th, February, 2005

Opera is vulnerable to several vulnerabilities which could result
in information disclosure and facilitate execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118295

 
  Gentoo: VMware Workstation Untrusted
library search path
  14th, February, 2005

VMware may load shared libraries from an untrusted, world-writable
directory, resulting in the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118296

 
  Gentoo: AWStats Remote code execution
  14th, February, 2005

Version 6.3 of AWStats only partially fixed the input validation
flaws.

http://www.linuxsecurity.com/content/view/118297

 
  Gentoo: PostgreSQL Buffer overflows in
PL/PgSQL parser
  14th, February, 2005

PostgreSQL is vulnerable to several buffer overflows in the
PL/PgSQL parser leading to execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118298

 
  Gentoo: Emacs, XEmacs Format string vulnerabilities
in
  15th, February, 2005

The movemail utility shipped with Emacs and XEmacs contains
several format string vulnerabilities, potentially leading to the execution
of arbitrary code.

http://www.linuxsecurity.com/content/view/118335

 
  Gentoo: lighttpd Script source disclosure
  15th, February, 2005

An attacker can trick lighttpd into revealing the source of
scripts that should be executed as CGI or FastCGI applications.

http://www.linuxsecurity.com/content/view/118336

 
  Gentoo: wpa_supplicant Buffer overflow
vulnerability
  16th, February, 2005

wpa_supplicant contains a buffer overflow that could lead to
a Denial of Service.

http://www.linuxsecurity.com/content/view/118353

 
  Gentoo: KStars Buffer overflow in fliccd
  16th, February, 2005

KStars is vulnerable to a buffer overflow that could lead to
arbitrary code execution with elevated privileges.

http://www.linuxsecurity.com/content/view/118354

 
  Gentoo: Midnight Commander Multiple vulnerabilities
  17th, February, 2005

Midnight Commander contains several format string errors, buffer
overflows and one buffer underflow leading to execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118363

 
   Mandrake
  Mandrake: Updated drakxtools package
  10th, February, 2005

Several new bugs have been identified and corrected in the draktools
package.

http://www.linuxsecurity.com/content/view/118255

 
  Mandrake: Updated cpio packages fix
  10th, February, 2005

A vulnerability in cpio was discovered where cpio would create
world- writeable files when used in -o/--create mode and giving an output
file (with -O). This would allow any user to modify the created cpio archive.
The updated packages have been patched so that cpio now respects the current
umask setting of the user.

http://www.linuxsecurity.com/content/view/118256

 
  Mandrake: Updated enscript packages
  10th, February, 2005

A vulnerability in the enscript program's handling of the epsf
command used to insert inline EPS file into a document was found.

http://www.linuxsecurity.com/content/view/118257

 
  Mandrake: Updated squid packages fix
  10th, February, 2005

More vulnerabilities were discovered in the squid server: The
LDAP handling of search filters was inadequate which could be abused to
allow logins using severial variants of a single login name, possibly
bypassing explicit access controls (CAN-2005-0173).

http://www.linuxsecurity.com/content/view/118258

 
  Mandrake: Updated python packages fix
  10th, February, 2005

A flaw in the python language was found by the development team.

http://www.linuxsecurity.com/content/view/118259

 
  Mandrake: Updated MySQL packages fix
  10th, February, 2005

A temporary file vulnerability in the mysqlaccess script in
MySQL was discovered by Javier Fernandez-Sanguino Pena. This flaw could
allow an unprivileged user to let root overwrite arbitrary files via a
symlink attack.

http://www.linuxsecurity.com/content/view/118260

 
  Mandrake: Updated cpio packages fix
  11th, February, 2005

A vulnerability in cpio was discovered where cpio would create
world- writeable files when used in -o/--create mode and giving an output
file (with -O). This would allow any user to modify the created cpio archive.
The updated packages have been patched so that cpio now respects the current
umask setting of the user.

http://www.linuxsecurity.com/content/view/118274

 
  Mandrake: Updated mailman packages fix
  14th, February, 2005

A vulnerability was discovered in Mailman, which allows a remote
directory traversal exploit using URLs of the form ".../....///" to access
private Mailman configuration data. The vulnerability lies in the Mailman/Cgi/private.py
file. Updated packages correct this issue.

http://www.linuxsecurity.com/content/view/118299

 
  Mandrake: Updated emacs/xemacs
  15th, February, 2005

Max Vozeler discovered several format string vulnerabilities
in the movemail utility in Emacs. If a user connects to a malicious POP
server, an attacker can execute arbitrary code as the user running emacs.
The updated packages have been patched to correct the problem.

http://www.linuxsecurity.com/content/view/118338

 
  Mandrake: Updated rwho packages fix
  16th, February, 2005

A vulnerability in rwhod was discovered by "Vlad902" that can
be abused to crash the listening process (the broadcasting process is
not affected). This vulnerability only affects little endian architectures.
The updated packages have been patched to correct the problem.

http://www.linuxsecurity.com/content/view/118355

 
   Red
Hat
  RedHat: Updated mailman packages fix
security
  10th, February, 2005

Updated mailman packages that correct a mailman security issue
are now available.

http://www.linuxsecurity.com/content/view/118239

 
  RedHat: Updated kdelibs and kdebase packages
correct
  10th, February, 2005

Updated kdelib and kdebase packages that resolve several security
issues are now available.

http://www.linuxsecurity.com/content/view/118246

 
  RedHat: Updated mod_python package fixes
security issue
  10th, February, 2005

An Updated mod_python package that fixes a security issue in
the publisher handler is now available.

http://www.linuxsecurity.com/content/view/118247

 
  RedHat: Updated emacs packages fix security
issue
  10th, February, 2005

Updated Emacs packages that fix a string format issue are now
available.

http://www.linuxsecurity.com/content/view/118248

 
  RedHat: Updated xemacs packages fix security
issue
  10th, February, 2005

Updated XEmacs packages that fix a string format issue are now
available.

http://www.linuxsecurity.com/content/view/118249

 
  RedHat: Updated Squirrelmail package
fixes security
  10th, February, 2005

An updated Squirrelmail package that fixes several security
issues is now available for Red Hat Enterprise Linux 3.

http://www.linuxsecurity.com/content/view/118250

 
  RedHat: Updated Squid package fixes security
issues
  11th, February, 2005

An updated Squid package that fixes several security issues
is now available.

http://www.linuxsecurity.com/content/view/118264

 
  RedHat: Moderate: exim security update
  15th, February, 2005

Updated exim packages that resolve security issues are now available
for Red Hat Enterprise Linux 4. This update has been rated as having moderate
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118306

 
  RedHat: Important: php security update
  15th, February, 2005

Updated php packages that fix various security issues are now
available for Red Hat Enterprise Linux 4. This update has been rated as
having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118307

 
  RedHat: Important: alsa-lib security
update
  15th, February, 2005

An updated alsa-lib package that fixes a flaw that disabled
stack execution protection is now available for Red Hat Enterprise Linux
4. This update has been rated as having important security impact by the
Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118308

 
  RedHat: Important: xpdf security update
  15th, February, 2005

An updated xpdf package that fixes several security issues is
now available. This update has been rated as having important security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118309

 
  RedHat: Important: libtiff security update
  15th, February, 2005

Updated libtiff packages that fix various integer overflows
are now available for Red Hat Enterprise Linux 4. This update has been
rated as having important security impact by the Red Hat Security Response
Team

http://www.linuxsecurity.com/content/view/118310

 
  RedHat: Low: vim security update
  15th, February, 2005

Updated vim packages that fix security vulnerabilities are now
available for Red Hat Enterprise Linux 4. This update has been rated as
having low security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118311

 
  RedHat: Moderate: ethereal security update
  15th, February, 2005

Updated Ethereal packages that fix various security vulnerabilities
are now available for Red Hat Enterprise Linux 4. This update has been
rated as having moderate security impact by the Red Hat Security Response
Team.

http://www.linuxsecurity.com/content/view/118312

 
  RedHat: Low: enscript security update
  15th, February, 2005

An updated enscript package that fixes several security issues
is now available for Red Hat Enterprise Linux 4. This update has been
rated as having low security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118313

 
  RedHat: Moderate: krb5 security update
  15th, February, 2005

Updated Kerberos (krb5) packages that correct a buffer overflow
bug are now available for Red Hat Enterprise Linux 4. This update has
been rated as having moderate security impact by the Red Hat Security
Response Team.

http://www.linuxsecurity.com/content/view/118314

 
  RedHat: Important: CUPS security update
  15th, February, 2005

Updated CUPS packages that fix several security issues are now
available. This update has been rated as having important security impact
by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118315

 
  RedHat: Important: gpdf security update
  15th, February, 2005

An updated gpdf package that fixes two security issues is now
available. This update has been rated as having important security impact
by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118316

 
  RedHat: Important: squid security update
  15th, February, 2005

An updated Squid package that fixes several security issues
is now available. This update has been rated as having important security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118317

 
  RedHat: Important: kdelibs security update
  15th, February, 2005

Updated kdelibs packages that resolve security issues in Konqueror
are now available for Red Hat Enterprise Linux 4. This update has been
rated as having important security impact by the Red Hat Security Response
Team.

http://www.linuxsecurity.com/content/view/118318

 
  RedHat: Important: kdegraphics security
update
  15th, February, 2005

Updated kdegraphics packages that resolve security issues in
kpdf are now available. This update has been rated as having important
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118319

 
  RedHat: Moderate: ImageMagick security
update
  15th, February, 2005

Updated ImageMagick packages that fix a security flaw are now
available for Red Hat Enterprise Linux 4. This update has been rated as
having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118320

 
  RedHat: Low: perl-DBI security update
  15th, February, 2005

An updated perl-DBI package that fixes a temporary file flaw
in DBI::ProxyServer is now available for Red Hat Enterprise Linux 4. This
update has been rated as having low security impact by the Red Hat Security
Response Team.

http://www.linuxsecurity.com/content/view/118321

 
  RedHat: Low: cpio security update
  15th, February, 2005

An updated cpio package that fixes a umask bug is now available
for Red Hat Enterprise Linux 4. This update has been rated as having low
security impact by the Red Hat Security Response Team

http://www.linuxsecurity.com/content/view/118322

 
  RedHat: Moderate: htdig security update
  15th, February, 2005

Updated htdig packages that fix a security flaw are now available
for Red Hat Enterprise Linux 4. This update has been rated as having moderate
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118323

 
  RedHat: Moderate: thunderbird security
update
  15th, February, 2005

An updated Thunderbird package that fixes a security issue is
now available for Red Hat Enterprise Linux 4. This update has been rated
as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118324

 
  RedHat: Moderate: squirrelmail security
update
  15th, February, 2005

An updated Squirrelmail package that fixes several security
issues is now available for Red Hat Enterprise Linux 4. This update has
been rated as having moderate security impact by the Red Hat Security
Response Team.

http://www.linuxsecurity.com/content/view/118325

 
  RedHat: Moderate: mod_python security
update
  15th, February, 2005

An updated mod_python package that fixes a security issue in
the publisher handle is now available for Red Hat Enterprise Linux 4.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118326

 
  RedHat: Important: perl security update
  15th, February, 2005

Updated Perl packages that fix several security issues are now
available for Red Hat Enterprise Linux 4. This update has been rated as
having important security impact by the Red Hat Security Response Team

http://www.linuxsecurity.com/content/view/118327

 
  RedHat: Important: python security update
  15th, February, 2005

Updated Python packages that fix several security issues are
now available for Red Hat Enterprise Linux 4. This update has been rated
as having important security impact by the Red Hat Security Response Team

http://www.linuxsecurity.com/content/view/118328

 
  RedHat: Important: emacs security update
  15th, February, 2005

Updated Emacs packages that fix a string format issue are now
available for Red Hat Enterprise Linux 4. This update has been rated as
having important security impact by the Red Hat Security Response Team

http://www.linuxsecurity.com/content/view/118329

 
  RedHat: Important: xemacs security update
  15th, February, 2005

Updated XEmacs packages that fix a string format issue are now
available for Red Hat Enterprise Linux 4. This update has been rated as
having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118330

 
  RedHat: Important: mailman security update
  15th, February, 2005

Updated mailman packages to correct a security issue are now
available for Red Hat Enterprise Linux 4. This update has been rated as
having important security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118331

 
  RedHat: Important: postgresql security
update
  15th, February, 2005

Updated postresql packages that correct various security issues
are now available for Red Hat Enterprise Linux 4. This update has been
rated as having important security impact by the Red Hat Security Response
Team.

http://www.linuxsecurity.com/content/view/118332

 
  RedHat: Important: postgresql security
update
  16th, February, 2005

Updated PostgreSQL packages to fix various security flaws are
now available for Red Hat Enterprise Linux 2.1AS. This update has been
rated as having important security impact by the Red Hat Security Response
Team.

http://www.linuxsecurity.com/content/view/118352

 
   SuSE
  SuSE: squid (SUSE-SA:2005:006)
  10th, February, 2005

The last two squid updates from February the 1st and 10th fix
several vulnerabilities. The impact of them range from remote denial-of-service
over cache poisoning to possible remote command execution.

http://www.linuxsecurity.com/content/view/118241

 
  SuSE: mailman remote file disclosure
  14th, February, 2005

Due to incomplete input validation the "private" CGI script
which handles archive retrieval could be used to read any file on the
system, including the configuration database of the mailman lists which
include passwords in plain text. A remote attacker just needs a valid
account on one mailing list managed by this mailman instance.

http://www.linuxsecurity.com/content/view/118279

 
Click Here!