+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| July 12th, 2002 Volume 3, Number 28a |
+----------------------------------------------------------------+
 
  Editors: Dave Wreski Benjamin Thomas
               davelinuxsecurity.com benlinuxsecurity.com
 
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for LPRng, squid, and bind/glibc. The
vendors include Conectiva, Mandrake, and SuSE. If you missed last week's
newsletter, or have not yet updated apache, please visit the following
URLs:

 July 5th 2002:
 http://www.linuxsecurity.com/articles/forums_article-5255.html

 June 28th 2002:
 http://www.linuxsecurity.com/articles/forums_article-5211.html

 June 21st 2002:
 http://www.linuxsecurity.com/articles/forums_article-3.html

- Guardian Digital Combats Proprietary Software Licensing Deadline -

Guardian Digital, Inc., the first full-service open source Internet server
security company, has announced a special incentive program designed to
provide companies with an alternative to Windows-based servers and
applications as the July 31st deadline for Microsoft's new licensing
program approaches.

Press Release:
http://www.guardiandigital.com/company/press/EnGarde-Licensing-Promotion.pdf

Save Now:
http://store.guardiandigital.com/html/eng/493-AA.shtml

FEATURE: Threat Becomes Vulnerability Becomes Exploit

The recent situation regarding the Apache Chunk Encoding Vulnerability has
caused plenty of controversy in the security industry. It initially began
with the community dislike of the release of information.

 http://www.linuxsecurity.com/feature_stories/feature_story-113.html

 
### Developing with open standards? Demanding High Performance? ###
Catch the Oracle9i JDeveloper wave now and check out how built-in
profilers and CodeCoach make your Java code tighter and faster than ever
before. Download your FREE copy of Oracle9i JDeveloper Today.

 --> http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=oracle3
 

Find technical and managerial positions available worldwide. Visit the
LinuxSecurity.com Career Center: http://careers.linuxsecurity.com
 

+---------------------------------+
| LRPng | ----------------------------//
+---------------------------------+
  
Matthew Caron pointed out that using the LPRng default configuration, the
lpd daemon will accept job submissions from any remote host. These
updated LPRng packages modify the job submission policy in /etc/lpd.perms
to refuse print jobs from remote hosts by default.

 Mandrake Linux 8.2:
 8.2/RPMS/LPRng-3.8.6-2.1mdk.i586.rpm
 c22c7e66ba57a5adc12bc989e3e315d0

 8.2/SRPMS/LPRng-3.8.6-2.1mdk.src.rpm
 ef4539669b170549739a538c530131e9

 http://www.mandrakesecure.net/en/ftp.php

 Mandrake Vendor Advisory:
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2188.html

+---------------------------------+
| squid | ----------------------------//
+---------------------------------+

An attacker can exploit some of these vulnerabilities to execute arbitrary
code remotely as the user running squid (which in Conectiva Linux is
"proxy" or "nobody"), cause a Denial-of-Service (DoS) in the server or
inject/get invalid data in/from the network.

 Conectiva:
 ftp://atualizacoes.conectiva.com.br/8/RPMS/
 squid-2.4.7-1U8_3cl.i386.rpm

 ftp://atualizacoes.conectiva.com.br/8/RPMS/
 squid-auth-2.4.7-1U8_3cl.i386.rpm

 ftp://atualizacoes.conectiva.com.br/8/RPMS/
 squid-doc-2.4.7-1U8_3cl.i386.rpm

 ftp://atualizacoes.conectiva.com.br/8/RPMS/
 squid-templates-2.4.7-1U8_3cl.i386.rpm

 Conectiva Vendor Advisory:
 http://www.linuxsecurity.com/advisories/other_advisory-2189.html
  
 SuSE-8.0: i386
 ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/
 squid-2.4.STABLE6-2.i386.rpm
 01f5c698e0418e6055e9ed1018493380
 
 ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/
 squid-2.4.STABLE6-9.i386.patch.rpm
 917c26da9c444085d045b708548eae3e

 ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/
 squid-2.4.STABLE6-9.i386.rpm
 fa4780901f96712ea22eef28bdf53700

 SuSE Vendor Advisory:
 http://www.linuxsecurity.com/advisories/suse_advisory-2191.html

+---------------------------------+
| bind/glibc | ----------------------------//
+---------------------------------+

A vulnerability has been discovered in some resolver library functions.
The affected code goes back to the resolver library shipped as part of
BIND4; code derived from it has been included in later BIND releases as
well as the GNU libc.

 SuSE:
 PLEASE SEE VENDOR ADVISORY FOR UPDATE

 SuSE Vendor Advisory:
 http://www.linuxsecurity.com/advisories/suse_advisory-2193.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com

     To unsubscribe email vuln-newsletter-requestlinuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]