|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Threat Watch 069
From: Security Threat Watch (NetworkComputing
update.networkcomputing.com)
Date: Mon Feb 28 2005 - 13:24:17 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Security Threat Watch
Number 069
Monday, February 28, 2005
Created for you by Network Computing & Neohapsis
--- Security News ----------------------------------------------
Classifying a vulnerability's level of severity is still a little bit
of a black art. Coming up with a specific, granular rating system that
applies to all environments and encompasses all risks usually winds up
overly complex. Yet many people still strive to come up with a more
universal solution. A discussion started last week concerning a
proposed classification system. Those of you interested in the topic of
vulnerability severity rating systems should look at the "Vuln scoring
system anyone?" thread at:
http://archives.neohapsis.com/archives/dailydave/2005-q1/
Until next issue,
- The Neohapsis Security Threat Watch Team
--- Advertisement -----------------------------------------------------
The only solution that delivers total mobility and maximum
flexibility, the Authenex A-Key offers multiple methods of
network authentication through PKI, Challenge-Response or
One-Time Password WITHOUT DRIVERS pre-installed.
Plus, the same A-Key leverages our entire suite of strong
e-security applications. Click Here to Get your FREE A-Key.
--- New Vulnerabilities -----------------------------------------------
Below is a list of new vulnerabilities announced this week.
Vulnerabilities considered to be 'critical' involve highly-deployed
software, or carry a high-risk of system compromise. Note that
vulnerabilities not highlighted may still be of critical severity
to your environment.
**** Highlighted critical vulnerabilities ****
Cyrus IMAP Server: multiple overflows
**** Newly announced vulnerabilities this week ****
____Windows____
Avaya IP Office Phone Manager: insecure local password storage
http://archives.neohapsis.com/archives/bugtraq/2005-02/0391.html
http://archives.neohapsis.com/archives/bugtraq/2005-02/0423.html
CIS WebServer 3.5.13: Web root escaping
http://archives.neohapsis.com/archives/bugtraq/2005-02/0451.html
Knet 1.04c: HTTP request remote overflow
http://archives.neohapsis.com/archives/bugtraq/2005-02/0457.html
SD Server 4.0.70: Web root escaping
http://archives.neohapsis.com/archives/bugtraq/2005-02/0396.html
WebConnect 6.4.4, 6.5: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2005-02/0401.html
____Solaris____
kcms_configure: insecure temp file handling
http://archives.neohapsis.com/archives/bugtraq/2005-02/0424.html
____Network Devices____
Cisco ACNS: default admin password, DoS
http://archives.neohapsis.com/archives/cisco/2005-q1/0006.html
____CGI____
CSGuestbook: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2005-02/0422.html
PBLang 4.65: XSS
http://archives.neohapsis.com/archives/bugtraq/2005-02/0406.html
http://archives.neohapsis.com/archives/bugtraq/2005-02/0407.html
http://archives.neohapsis.com/archives/bugtraq/2005-02/0408.html
TWiki ImageGalleryPlugin: remote command execution
http://archives.neohapsis.com/archives/bugtraq/2005-02/0417.html
iGeneric eShop 1.2: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2005-02/0397.html
paNews 2.0b4: PHP remote file include code execution
http://archives.neohapsis.com/archives/bugtraq/2005-02/0403.html
phpBB <2.0.12: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2005-02/0390.html
http://archives.neohapsis.com/archives/bugtraq/2005-02/0393.html
http://archives.neohapsis.com/archives/bugtraq/2005-02/0405.html
phpMyAdmin 2.6.1: multiple vulneranilities
http://archives.neohapsis.com/archives/bugtraq/2005-02/0437.html
punBB 1.2.1: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2005-02/0430.html
vbulletin 3.0.6: remote PHP script execution
http://archives.neohapsis.com/archives/bugtraq/2005-02/0402.html
____Cross-Platform____
Cyclades AlterPath Manager: multiple vulnerabilities
http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0072.html
Cyrus IMAP Server: multiple overflows
http://archives.neohapsis.com/archives/bugtraq/2005-02/0416.html
Soldier of Fortune II 1.03: cl_guid remote overflow
http://archives.neohapsis.com/archives/bugtraq/2005-02/0428.html
WU-FTPD 2.6.2: file globbing remote DoS
http://archives.neohapsis.com/archives/bugtraq/2005-02/0449.html
--- Patches and Updates -----------------------------------------------
The following contains a list of vendor patches and updates released
this week.
____Linux____
Debian > DSA 688-1: squid
http://archives.neohapsis.com/archives/bugtraq/2005-02/0413.html
Debian > DSA 689-1: mod_python
http://archives.neohapsis.com/archives/bugtraq/2005-02/0414.html
Debian > DSA 690-1: bsmtpd
http://archives.neohapsis.com/archives/vendor/2005-q1/0089.html
Fedora > FLSA-2005:2005: gdk-pixbuf
http://archives.neohapsis.com/archives/bugtraq/2005-02/0436.html
Fedora > FLSA-2005:2043: zlib
http://archives.neohapsis.com/archives/bugtraq/2005-02/0432.html
Fedora > FLSA-2005:2336: kernel
http://archives.neohapsis.com/archives/bugtraq/2005-02/0446.html
Fedora > FLSA-2005:2343: vim
http://archives.neohapsis.com/archives/bugtraq/2005-02/0434.html
Mandrake > MDKSA-2005:046: uim
http://archives.neohapsis.com/archives/linux/mandrake/2005-q1/0109.html
Mandrake > MDKSA-2005:047: squid
http://archives.neohapsis.com/archives/linux/mandrake/2005-q1/0110.html
SuSE > SUSE-SA:2005:008: squid
http://archives.neohapsis.com/archives/vendor/2005-q1/0084.html
SuSE > SUSE-SA:2005:009: cyrus-imapd
http://archives.neohapsis.com/archives/vendor/2005-q1/0087.html
SuSE > SUSE-SA:2005:010: kernel / nvidia driver
http://archives.neohapsis.com/archives/vendor/2005-q1/0088.html
____HP-UX____
SSRT4694: ftpd
http://archives.neohapsis.com/archives/bugtraq/2005-02/0427.html
--- Advertisement -----------------------------------------------------
The only solution that delivers total mobility and maximum
flexibility, the Authenex A-Key offers multiple methods of
network authentication through PKI, Challenge-Response or
One-Time Password WITHOUT DRIVERS pre-installed.
Plus, the same A-Key leverages our entire suite of strong
e-security applications. Click Here to Get your FREE A-Key.
--- Sign Off ----------------------------------------------------------
If this e-mail was passed to you, and you would like to begin receiving
our free security e-mail newsletter on a weekly basis, we invite you to
subscribe today by forwarding this message to [subscribe_stwupdate.networkcomputing.com].
Or you can subscribe directly here:
http://www.networkcomputing.com/go/stw.jhtml
To manage all aspects of your subscription and newsletter account,
simply use the URL below. You'll need your e-mail address and
password to log in. If you don't have your password, you can generate
a new one using the same URL. Once logged in, you can change your
e-mail address and password as well as select specific platforms for
which you'd like to receive information on patches and vulnerabilities.
If you have any questions regarding this system, please don't hesitate
to e-mail us at stwnwc.com.
http://stwpref.update.networkcomputing.com/CMP/NWC/prefctr.asp
Put Us On Your White List
Don't let an over-eager e-mail filter bounce the Network Computing
Security Threat Watch newsletter! Our address:
NetworkComputingupdate.networkcomputing.com
needs to be in your address book or on your anti-spam white list. Ask your
admin or ISP how to do this, or check your anti-spam utility documentation.
Important subscription contacts:
CMP Media LLC
600 Community Drive
Manhasset, NY 11030
Missed an issue? You can find all back issues of Security Threat Watch
(as well as Security Alert Consensus and Security Express) online.
http://archives.neohapsis.com/
Note: To better serve you we use dynamic URLs within our advertisments,
which allow us to see how many readers click on a given ad. We do not
share this information, or your personal information, with any outside
party. Concerned about the privacy of your information relative to these
tracking URLs? Please refer to our privacy policy.
http://www.doubleclick.net/us/corporate/privacy
We'd like to know what you think about the newsletter and what
information you'd like to see in future editions. E-mail your comments
to (stwnwc.com).
To unsubscribe from this newsletter, forward this message to
[unsubscribe_stwupdate.networkcomputing.com].
Copyright (c) 2005 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com). Powered by Neohapsis Inc., a
Chicago-based security assessment and integration services consulting
group (infoneohapsis.com | http://www.neohapsis.com/).
This message powered by DARTmail
http://www.doubleclick.net/us/corporate/privacy
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]