On Fri, Feb 13, 2009 at 11:50:11AM -0500, Jason Starks wrote:
> I came across a problem that I am sure many security researchers have seen
> before:
>
> ja...@uboo:~$ cat bof.c
> #include
> #include
>
> int main()
> {
>
> char buf[512];
>
> memset(buf, 'A', 528);
>
> return 0;
>
> }
> ja...
On Mon, Feb 16, 2009 at 09:00:33AM -0500, ArcSighter Elite wrote:
> James Matthews wrote:
> > I would recommend doing the following things.
> >
> > 1. Ask on the Ubuntu GCC list what protection is implemented. (Or just look
> > at the source)
> > 2. Use GCC to see where the execution is being redi
On Thu, Apr 09, 2009 at 03:07:40PM +0200, Andreas Bogk wrote:
> Dear list,
>
> as discovered by Felix von Leitner (http://blog.fefe.de/?ts=b72905a8),
> Linux kernel patch 2.6.29.1 contains:
>
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -3667,7 +3667,7 @@ CIFSTCon(unsigned int xid, s
On Fri, Apr 10, 2009 at 01:26:43PM +0200, Thierry Zoller wrote:
>
> >The correct wording is "no advisory was released yet".
> An exception to the rule? The question is why? If fefe wouldn't
> have pointed it out there would have been no advisory,
> like the 100 other silently fixed security b
Hi,
We have escalated this within Novell and the CRS servlet got removed
last week on the day of the report.
Ciao, Marcus
On Mon, Feb 13, 2012 at 04:36:44PM +0100, Team wrote:
>
>
> Hello :-)
>
> I sent email stating the problem for the company,
> waited a few days and got no response, so
On Thu, Feb 23, 2012 at 07:11:53AM -0500, David C Frier wrote:
> On Wed, Feb 22, 2012 at 19:12, Jeffrey Walton wrote:
> > It appears to be official.
> >
> > Trustwave issued MitM certificates, which is deceptive, unethical, and
> > contrary to its agreement for inclusion.
> >
> > Mozilla just rewa
Hi,
How is this different from writing a fork bomb?
Ciao, Marcus
On Tue, Mar 13, 2012 at 09:42:29AM +0100, Christophe Alladoum wrote:
> [ Description ]
>
> An integer overflow was found in iputils/ping_common.c main_loop() function
> which could lead to excessive CPU usage when triggere
On Wed, May 16, 2012 at 07:54:13PM +0200, Nicolas Surribas wrote:
> I can't reproduce with current openSUSE 12.1...
>
> sh-4.2$ uname -rop
> 3.1.10-1.9-desktop x86_64 GNU/Linux
> sh-4.2$ lsb-release -ri
> Distributor ID: SUSE LINUX
> Release:12.1
> sh-4.2$ cat /proc/self/maps | grep vdso
>
On Wed, May 16, 2012 at 10:23:19PM +0200, Tavis Ormandy wrote:
> Tavis Ormandy wrote:
>
> > Adam Zabrocki wrote:
> >
> > > Hi Tavis,
> > >
> > > Don't know why you don't believe me :) Anyway:
> >
> > I don't believe any distribution stock kernel enabled it, because this is
> > just too simple
On Sat, Aug 18, 2012 at 04:00:20PM -0700, coderman wrote:
> Dan just released "DakaRand"
> http://dankaminsky.com/2012/08/15/dakarand/
>
> src http://s3.amazonaws.com/dmk/dakarand-1.0.tgz
>
> while admitting that "Matt Blaze has essentially disowned this
> approach, and seems to be honestly hor
Hi,
Various openssh 6.2p1 users including our administrators
stumbled over this nice bug in the "nanossh server" during pre authentication
phase within nanossh ( https://www.mocana.com/for-device-manufacturers/nanossh/
)
Bug at openssh bugzilla:
https://bugzilla.mindrot.org/show_bug.cgi?
On Wed, Apr 06, 2011 at 02:01:58PM -0400, Ryan Sears wrote:
> Hey guys,
>
> It was recently discovered (NOT by myself) that the ISC dhclient was
> vulnerable to certain shell metacharacters in the hostname parameter
> specified by *any* DHCP server, causing it to potentially run arbitrary
> com
On Thu, Apr 28, 2011 at 06:42:13PM +0300, Henri Salo wrote:
> On Thu, Apr 28, 2011 at 09:14:57AM -0600, ctrun...@christophertruncer.com
> wrote:
> > Hello all,
> >
> > First off, if this isn't the place to ask this question, I apologize, and
> > feel free to ignore this e-mail.
> >
> > I've fo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:opera
Announcement ID:SUSE-SA:2006:038
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:kdebase3-kdm
Announcement ID:SUSE-SA:2006:039
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:OpenOffice_org
Announcement ID:SUSE-SA:2006:040
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:acroread
Announcement ID:SUSE-SA:2006:041
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:apache,apache2
Announcement ID:SUSE-SA:2006:043
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:MozillaFirefox,MozillaThunderbird,Seamonkey
Announcement ID:SUSE-SA:200
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:openssl,mozilla-nss
Announcement ID:SUSE-SA:2006:055
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:openssl
Announcement ID:SUSE-SA:2006:058
Date:
On Fri, Oct 20, 2006 at 10:09:13AM -0600, Bruce Ediger wrote:
> On Fri, 20 Oct 2006, Brendan Dolan-Gavitt wrote:
>
> > It seems like this kind of exploit is dying out, particularly as
> > different flavors of Linux proliferate, each with their own slightly
> > different libc and userland; in the
On Wed, Dec 08, 2010 at 12:44:09AM +0300, Kai wrote:
>
> > Anyone tested this in sandbox yet?
>
> 00:37 linups:../expl/kernel > cat /etc/*release*
> openSUSE 11.3 (i586)
> VERSION = 11.3
> 00:37 linups:../expl/kernel > uname -r
> 2.6.34.4-0.1-desktop
> 00:37 linups:../expl/kernel > gcc _2.6.37.l
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:kernel
Announcement ID:SUSE-SA:2005:067
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:kernel
Announcement ID:SUSE-SA:2005:068
Date:
On Thu, Jan 05, 2006 at 03:15:28PM -0600, H D Moore wrote:
> ---
> wine-20050930/dlls/gdi/driver.c
> ---
You have all the wrong places, this is all valid functionality.
You want this place:
dlls/gdi/metafile.c::PlayMetaFileRecord
...
case META_ESCAPE:
Escape(hdc, mr->rdParm[0], mr->r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:novell-nrm
Announcement ID:SUSE-SA:2006:002
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:nfs-server
Announcement ID:SUSE-SA:2006:005
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:gpg,liby2util
Announcement ID:SUSE-SA:2006:009
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:CASA
Announcement ID:SUSE-SA:2006:010
Date: W
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:kernel
Announcement ID:SUSE-SA:2006:012
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:gpg,liby2util
Announcement ID:SUSE-SA:2006:013
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:gpg
Announcement ID:SUSE-SA:2006:014
Date: Fr
-BEGIN PGP SIGNED MESSAGE-
__
SUSE Security Announcement
Package:ImageMagick
Announcement-ID:SUSE-SA:2005:017
Date: Wed,
-BEGIN PGP SIGNED MESSAGE-
__
SUSE Security Announcement
Package:kernel
Announcement-ID:SUSE-SA:2005:018
Date: Thu, 24 Ma
-BEGIN PGP SIGNED MESSAGE-
__
SUSE Security Announcement
Package:mysql
Announcement-ID:SUSE-SA:2005:019
Date: Thu, 24 Mar
-BEGIN PGP SIGNED MESSAGE-
__
SUSE Security Announcement
Package:kernel
Announcement-ID:SUSE-SA:2005:021
Date: Mon, 04 Ap
-BEGIN PGP SIGNED MESSAGE-
__
SUSE Security Announcement
Package:kdelibs3
Announcement-ID:SUSE-SA:2005:022
Date: Mon, 11
-BEGIN PGP SIGNED MESSAGE-
__
SUSE Security Announcement
Package:RealPlayer
Announcement-ID:SUSE-SA:2005:026
Date: Wed, 2
-BEGIN PGP SIGNED MESSAGE-
__
SUSE Security Announcement
Package:postgresql
Announcement-ID:SUSE-SA:2005:027
Date: Wed, 2
-BEGIN PGP SIGNED MESSAGE-
__
SUSE Security Announcement
Package:Mozilla. Mozilla Firefox
Announcement-ID:SUSE-SA:2005:028
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:java2
Announcement ID:SUSE-SA:2005:032
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:RealPlayer
Announcement ID:SUSE-SA:2005:037
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:zlib
Announcement ID:SUSE-SA:2005:039
Date: W
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:heimdal
Announcement ID:SUSE-SA:2005:040
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:php/pear XML::RPC
Announcement ID:SUSE-SA:2005:041
Date:
had no workarounds on this issue.
++
Contact
++
Marcus Meissner [EMAIL PROTECTED]
1-888-565-9428
BEWARE THE JIZZTAPO
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:xorg-x11-server
Announcement ID:SUSE-SA:2006:016
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:flash-player
Announcement ID:SUSE-SA:2006:015
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:RealPlayer
Announcement ID:SUSE-SA:2006:018
Date:
On Fri, Mar 24, 2006 at 05:51:04PM +0100, kcope wrote:
> Hello,
>
> mod_ssl:
> /httpd-2.0.48/modules/ssl/ssl_engine_kernel.c (also in 2.0.55)
> proto:
> ap_log_error(constchar*file,intline,intlevel,apr_status_tstatus,constserver_rec*s,constchar*fmt,...)
>
>
> code: ap_log_error(
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:MozillaFirefox,mozilla
Announcement ID:SUSE-SA:2006:021
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:cron
Announcement ID:SUSE-SA:2006:027
Date: W
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:kernel
Announcement ID:SUSE-SA:2006:028
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:sendmail
Announcement ID:SUSE-SA:2006:032
Date:
On Sun, Mar 04, 2007 at 05:56:09AM -0600, Gadi Evron wrote:
> -
> 3. Are PHP applications also a target of this initiative?
>
> No they are not. If you want a month of PHP application bugs you can
> subscribe to the bugtraq or full-disclosure mailinglists.
>
> -
>
> http://www.php-securi
On Thu, Mar 15, 2007 at 02:16:41PM +0200, Ismail Dönmez wrote:
> On Thursday 15 March 2007 04:26:29 James Matthews wrote:
> > and you would think some bugs we got rid of in open source software!
>
> str{cpy,cat,...} which don't take an size attribute should be removed from
> standard libc, I don'
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:mozilla,MozillaFirefox,epiphany,galeon
Announcement ID:SUSE-SA:2005:045
On Fri, Aug 12, 2005 at 11:30:56AM +0200, Christian Khark Lauf wrote:
> Hello,
>
> Javi Polo wrote:
>
> > On Aug/11/2005, Scott Edwards wrote:
>
> >>That's right, you're thinking no way. Wine [http://www.winehq.org]
> >>not only runs the validation download, but it also produces a proper
> >>va
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:apache,apache2
Announcement ID:SUSE-SA:2005:046
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:acroread
Announcement ID:SUSE-SA:2005:047
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:pcre
Announcement ID:SUSE-SA:2005:048
Date: T
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:php4, php5
Announcement ID:SUSE-SA:2005:049
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:kernel
Announcement ID:SUSE-SA:2005:050
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:php4,php5
Announcement ID:SUSE-SA:2005:051
Date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SUSE Security Announcement
Package:openssl
Announcement ID:SUSE-SA:2005:061
Date:
On Fri, Oct 12, 2007 at 05:02:48AM -0700, Andrew Farmer wrote:
> On 12 Oct 07, at 01:34, yearsilent wrote:
> > could anybody explain this bug?
> >
> > I saw the git diff:
> >
> >
> > - setuid(getuid());
> > - setgid(getgid());
> >
> The classic example (Gera's Law):
>
[File : abo1.c ]
After fixing your code (adding a missing #include )
> $ gcc -o abo1 abo1.c
Which is just not how to compile your code.
If you pass the right options:
$ gcc -O2 -D_FORTIFY_SOURCE=2 xx.c -o xx
$ ./xx `perl -e "print 'a' x 1024;"`
*** buffe
On Thu, May 31, 2007 at 06:07:30PM +0200, Thierry Zoller wrote:
> 5DFFC7C3DCFBCED5CEDD48F216936CF9
> 9B704583D6E5056E67C959B5CCEE2F548D3C70F3
This list is not called SHA1- or MD5-disclosure, it is called
full-disclosure.
Tell us the real thing or be silent.
Ciao, Marcus
69 matches
Mail list logo