Hi,
I just read the article at News.com
(http://news.com.com/2100-1023-947325.html?tag=fd_top) about the
controversy between HP and Snosoft. It seems that HP is upset that
details of a dangerous security hole in the HP Tru64 operating system
were published by "Phased", a security researcher with
Greetings,
The Brazilian free project LinuxSecurity Brasil announced yesterday the
first edition of its online Magazine, the LinuxSecurity Magazine that
represents the result of several IT Brazilian professionals' effort to
bring free knowledged for the national community.
LinuxSecurity Magazine
On Mon, Jul 29, 2002 at 06:13:08PM +, [EMAIL PROTECTED] wrote:
> On the other hand, the idea of combining many entropy sources using
> a cryptographic hash is a good one. If this is used for cryptographic
> purposes, I'd just like to see some more reliably-unpredictable sources in
> there, if
Michal Zalewski wrote:
>The First instance of chfn is still holding an open descriptor to
>/etc/ptmptmp, which later became /etc/ptmp - and, if we send SIGCONT
>to this process, will be renamed to /etc/passwd. Step 3 will fall
>through because there is no error checking, and new in
___ Summary __
Title: Directory traversal vulnerability in sendform.cgi
Date: July 30, 2002
Author: Steve Christey ([EMAIL PROTECTED])
Credits: Brian Caswell ([EMAIL PROTECTED])
Erik Tayler ([EMAIL PR
People,
Hi! I found a bug in the Eupload CGI, and I written a little
paper with the explanation, explotation and solution.
In fact everything would be solved with making chmod "0", but in
the 90% it is not used; reason why it is easily exploitable.
I hope they e
> To be more specific, there are two things you need in a challenge
> value: uniqueness and unpredictability. Lack of uniqueness allows an
> attacker to replay a past response to a future challenge. Predictability
> allows an attacker to pre-fetch a correct future response from one of the
> par
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
__
Caldera International, Inc. Security Advisory
Subject:Linux: temporary file races in libmm
Advisory number
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mandrake Linux Security Update Advisory
Package name: openssl
Advisory ID:
Aloha Adam,
I'm writing to you because I simply can't believe that Microsoft would
misunderstand the XWT Foundation Security Advisory vulnerability of July 29,
2002 to the point that they don't plan to immediately release hotfixes for
all JavaScript-enabled Microsoft products. Patching IE 6 throu
Aloha, Thor.
> I still quite fail to see the relevance to firewalls, as nothing is
> circumvented - the administrator has explicitly allowed HTTP traffic on
> (most often) port 80.
Outbound HTTP traffic is allowed by the firewall administrator, yes, but
this exploit has the effect of allowing th
On Tue, Jul 30, 2002 at 09:59:36AM -0400, Michal Zalewski wrote:
> On Tue, 30 Jul 2002, Andrew Pimlott wrote:
>
> > If he is smart, he will check whether the file is open (eg with fuser)
> > before removing it. So your attack does require an administrator
> > mistake.
>
> Not really. The file d
On Tue, 30 Jul 2002, Andrew Pimlott wrote:
> If he is smart, he will check whether the file is open (eg with fuser)
> before removing it. So your attack does require an administrator
> mistake.
Not really. The file does not have to be open to be present in the system.
It is prefectly possible t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 137-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
July 30th, 2002
- -
"Thor Larholm" <[EMAIL PROTECTED]> writes:
> I for one am in agreement on this issue, especially with regards to
> "Default" sites on e.g. IIS - it is very uncommon for anyone to
> serve content from the "Default" site (without checking the Host
> header) these days.
On the public Internet, you
If your vulnerability deals with the "Office Web Components" then no warning
should be necessary at this point, since Microsoft already yanked the OWC
downloads (both OWC 9 and 10) from their download pages back in April when
GreyMagic Software uncovered several vulnerabilities in them.
>From the
Sympoll is a customizable voting booth system written
in PHP. A missing variable integrity check allows
arbitrary files to be viewed on a web server that hosts
Sympoll version 1.2. Hosts that have disabled the
register_globals directive in their php.ini file are
not at risk.
This vulne
-BEGIN PGP SIGNED MESSAGE-
Hash: MD5
Product Vulnerability Reporting Form
SUMMARY
===
Adobe Content Server (now in use by more than 300 online retail sites) enables
the distribution of eBooks an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
2c79cbe14ac7d0b8472d3f129fa1df55 Security Advisory #6
#PRODUCT
IPSwitch IMail, All Current Versions
#VULNERABILITY
the IMail Web Calendaring service, iwebcal, can be crashed by issuing a malformed POST
request.. specifically one that neglects to
-BEGIN PGP SIGNED MESSAGE-
__
SuSE Security Announcement
Package:openssl
Announcement-ID:SuSE-SA:2002:027
Date: Tuesday,
Microsoft is aware of the vulnerability.
Since this successful remote exploitation of this vulnerability depends
on other mitigating factors, Microsoft believes it is not worthy of a
bulletin. This overflow will be fixed in XP service pack 1.
I will explain my understanding of the vulnerability.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Trustix Secure Linux Security Advisory #2002-0064
Package name: util-linux
Summary: local problem
Date: 2002-07-30
Affected versions: TSL 1.1, 1.
On Tue, Jul 30, 2002 at 11:15:00AM +0100, Ben Laurie wrote:
> Enclosed are patches for today's OpenSSL security alert which apply to
> other versions. The patch for 0.9.7 is supplied by Ben Laurie
> <[EMAIL PROTECTED]> and the remainder by Vincent Danen (email not
> supplied).
>
> Patches are for
On Mon, Jul 29, 2002 at 10:51:50AM -0400, Michal Zalewski wrote:
>the administrator will most likely add "rm -f /etc/ptmp" or
>equivalent to his crontab
If he is smart, he will check whether the file is open (eg with
fuser) before removing it. So your attack does require an
administrator
-BEGIN PGP SIGNED MESSAGE-
=
FreeBSD-SA-02:23.stdio Security Advisory
The FreeBSD Project
Topic: insecure ha
> From: Microsoft Security Response Center [mailto:[EMAIL PROTECTED]]
I for one am in agreement on this issue, especially with regards to
"Default" sites on e.g. IIS - it is very uncommon for anyone to serve
content from the "Default" site (without checking the Host header) these
days.
That's n
>The exploit allows an attacker to use any JavaScript-enabled web
>browser behind a firewall to retrive content from (HTTP GET) and
>interact with (HTTP POST) any HTTP server behind the
>firewall. If the client in use is Microsoft Internet Explorer 5.0+,
>Mozilla, or Netscape 6.2+, the attacker c
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cisco Security Advisory: TFTP Long Filename Vulnerability
=
Revision 1.0: Final
For Public Release 2002 July 30 18:00 GMT
- ---
Overview
---
A shoutbox is a fun tool webmasters put on their site that allows them to
receive feedback from users quickly. By typing in their name, site URL, &
message, users can post comments, suggestions, praises, flames, etc. onto
the shoutbox and it will be seen by everyo
-
GENTOO LINUX SECURITY ANNOUNCEMENT
-
PACKAGE:openssl
SUMMARY:denial of service / remote root exploit
DATE :2002-07-30 16:15:00
-
Enclosed are patches for today's OpenSSL security alert which apply to
other versions. The patch for 0.9.7 is supplied by Ben Laurie
<[EMAIL PROTECTED]> and the remainder by Vincent Danen (email not
supplied).
Patches are for 0.9.5a, 0.9.6 (use 0.9.6b patch), 0.9.6b, 0.9.6c, 0.9.7-dev.
These pat
OpenSSL Security Advisory [30 July 2002]
This advisory consists of two independent advisories, merged, and is
an official OpenSSL advisory.
Advisory 1
==
A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are
conducting a security review of OpenSSL, under the DARPA program
CHAT
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenPKG Security AdvisoryThe OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED]
-
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated openssl packages fix remote vulnerabilities
Advisory ID: RHSA-2002:155-11
Issue date:2002-07-25
Updated on:2002-07-29
P
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
++
| EnGarde Secure Linux Security Advisory July 30, 2002 |
| http://www.engardelinux.org/ ESA-20020730-019
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Trustix Secure Linux Security Advisory #2002-0063
Package name: openssl
Summary: Multiple security problems
Date: 2002-07-29
Affected versions: T
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenPKG Security AdvisoryThe OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED]
On Mon, Jul 29, 2002 at 03:38:27PM -0700, Microsoft Security Response Center wrote:
>
> Hi All -
>
> We'd like to set the record straight as regards the advisory
> published today by the XWT Foundation.
> address the issue via a service pack. Accordingly, a fix has been
> included in IE 6 Serv
38 matches
Mail list logo