Rather than have 14 separate entries with very little content, I'm just
going to one-off these. Here's a list of apps that have noted in their
changelogs to have fixed security problems. The version number listed is
the *fixed* version (as in, everything prior is vulnerable). I included
as much info as I could scrounge without going into code...those of you
who decided to take it further, I'd be interested in hearing the details.
Some of the details are vague because, well, the author/vendor was vague
on the problem/fix (they're taking after IBM and HP).

- rfp

--------------------------
phpMyChat 0.14.5

Changelog entry: "two security issues has been fixed thanks to Alexei
Shalin"

--------------------------
SANE 1.0.5

Changelog indicates security fixes

---------------------------
DNHTTPD 0.4.1

Attacker could use hex encoded ../../ URL requests to grab other files.

---------------------------
SILC 0.4

Fixes the security bug when sending a private message encrypted with a
private message key, the message might not actually be encrypted with the
appropriate key.

---------------------------
TWIG 2.7.2

The overall changelog indicates a problem fixed in the 2.7.0 release, and
there also seems to be some security-related fixes in 2.7.1 and 2.7.2.

---------------------------
FileManager 0.95

"Security updates"

[note from rfp]
No idea what the 'security updates' are, however, this script lets you
seemingly run all over the filesystem and view files anyways, only
protected by a potentially-breakable HTTP auth password. I don't
personally recommend it.
[/note]

---------------------------
nPulse 0.53p4

Fix for a potential security hole in the included web server

---------------------------
phpWebSite 0.7.9

"Minor bugfixes, including a fix for a minor security flaw (only effects
sites running multiple instances of phpWebSite under a single domain)."

---------------------------
AutoDNS 0.0.4

"Minor security fixes in terms of checking of domain names, and locking of
file access."

---------------------------
IntraGnat 1.4

"A security update was added."

[note from rfp]
IntraGnat is now up to 1.5; it's version 1.4 that contains the security
fix. Only other mention I could find was "bug fix in the project admin
area. security level patch and update"
[/note]

---------------------------
netscript 1.6.3

From changelog:
"Changed support of parsing remote data, to not parse dynamic variables.
This will remove some funcationality. but, it is much more of a security
risk to disclose, or use dynamic variables via remote input."

---------------------------
PHPSlice 0.1.5

"Fixed security hole in checkAccess() function (wonko)"

---------------------------
Radius 2.1.va.1

"Some calls to syslog() and the internally-defined log_msg() where a
format string may be derived from user input were removed"

---------------------------
MasqMail 0.1.15

From changelog:
"security fix, Debian Bug#102092: 'Privilege escalation in masqmail piped
alias handling': fixed by using set[ug]id instead of sete[ug]id in
peopen.c (noted by Colin Phipps)"

---------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]