GOBBLES found a buffer overflow in gzip that occurs when compressingfiles with really long filenames. Even though GOBBLES claims to havedeveloped an exploit to take advantage of this bug, it has been saidby others that this problem is not likely to be exploitable as othersecurity incidents.
Joost Pol found a buffer overflow in the address handling code ofmutt (a popular mail user agent). Even though this is a one byteoverflow this is exploitable.
Wietse Venema reported he found a denial of service vulnerability inpostfix. The SMTP session log that postfix keeps for debugging purposescould grow to an unreasonable size.
Nicolas Boullis found a nasty security problem in the wmtv (adockable video4linux tv player for windowmaker) package asdistributed in Debian GNU/Linux 2.2.
The icecast-server (a streaming music server) package as distributedin Debian GNU/Linux 2.2 has several security problems including a remote root vulnerability.
CORE ST reports that an exploit has been found for a bug in the wu-ftpdglob code (this is the code that handles filename wildcard expansion).Any logged in user (including anonymous ftp users) can exploit the bugto gain root privilege on the server.
We have received reports that the "SSH CRC-32 compensation attackdetector vulnerability" is being actively exploited. This is the sameinteger type error previously corrected for OpenSSH in DSA-027-1.OpenSSH (the Debian ssh package) was fixed at that time, butssh-nonfree and ssh-socks were not.
Using older versions of procmail it was possible to make procmail crash by sending it signals. On systems where procmail is installed setuid this could be exploited to obtain unauthorized privileges.
In SNS Advisory No. 32 a buffer overflow vulnerability has been reported in the routine which parses MIME headers that are returned from web servers. A malicious web server administrator could exploit this and let the client web browser execute arbitrary code.
