Find the information you need for your favorite open source distribution .
The cdwtools package is a frontend for various programs used to create CDs. Several buffer overflows and /tmp vulnerabilities exist in the cdwtools package. Thanks to Brock Tellier bringing this problem to our attention.
The mirror package is a tool to duplicate the contents of ftp servers. A vulnerability exists when attackers can create directory like " .." on the target mirror ftp server.
sccw does insufficient bounds checking, trust it's environment and calls insecure system functions. On a default installation sccw is setuid root.
The /usr/bin/pg and /usr/bin/pb tools can be used to read any file on the system.
Several buffer overflows have been found in proftpd which have been verified to be exploitable from an remote attacker. The fixing and finding of new holes is going on for over 2 weeks now, and there is no end in sight. Even with all known fixes, proftpd is still vulnerable to remote exploitation.
When lynx calls external programs for protocols (e.g. telnet), the location is passed unchecked. This can be used to activate commandline parameters. For example, this reference [A HREF="telnet://-n.rhosts"]click me[/A] would activate the tracefile options on the telnet client, with the result, that a .rhosts in the current directory would created or overwritten.
On June the 28th SuSE released a new pine package, which fixes a security bug. Unfortunately the patch brokes IMAP support for pine. Now there is a new package available which works correctly.
Three security threats were found in the vixie crond, which is shipped with SuSE Linux. 1) no boundchecking on a local buffer, while copying data from MAILTO 2) passing invalid options to sendmail 3) it doesn't drop root privileges while sending acknowledge mail to a user
The security breach occurs when you try to transfer an empty directory into a non-existent directory. In that case rsync sets the permissions of the working directory to those of the empty directory; this means, that the permissions of your home directory are changed to the file access mode of the empty directory if you do a remote rsync by using ssh/rsh.
The way in.identd is started by inetd from a standard /etc/inetd.conf on a SuSE Linux distribution may be exploited to mount a Denial-of-Service attack against the system. When inetd starts in.identd with the "wait" flag and the "-w -t120" options, the in.identd will start to listen on the well known port while inetd deactivates its own listener for the time in.identd is alive.
A buffer overflow has been found in libtermcap's tgetent() function. If a setuid root program uses this function, the user could execute arbitrary code. SuSE Linux 6.0, 6.1 and 6.2 are not affected, since the only program using libtermcap is bc. This program is not setuid root.
xmonisdn which is part of the i4l package is installed setuid root by default. To control and display the status of the ISDN network connections xmonisdn uses external programs, which are executed by the system() systemcall, without taking care of a safe environment. The problem arises by old libc, that don't overwrite the IFS environment variable.
a) A setuid root installed smbmnt could lead to a security breach due to a race condition. b) The NetBIOS name server nmbd is vulnerable to a denial-of-service attack. c) The message service of the SMB-/CIFS-server has got a buffer overflow.
The KDE screensaver klock includes a bug, which allows to bypass the password authentication. While klock waits for kcheckpass to verify the password a timer is triggered and the dialog box is deleted. After kcheckpass completes klock crashs.
The zsoelim program, which is part of the man package, creates files in /tmp without security checkings.
By sending a malicious formated email pine could be tricked into executing shell scripts or binary programs.
Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.
Cloud Security Cryptography Desktop Security Firewall Government Hacks/Cracks IoT Security Network Security Organizations/Events Privacy Security Projects Security Trends Security Vulnerabilities Server Security Vendors/Products
Debian Debian LTS Fedora Gentoo Mageia Oracle openSUSE RockyLinux Slackware SuSE Ubuntu
Harden My Filesystem Learn Tips and Tricks Secure My E-mail Secure My Firewall Secure My Network Secure My Webserver Strengthen My Privacy
Best Secure Linux Distros for Enhanced Privacy & Security The Truth About Linux Malware & How to Protect Your System Is Linux A More Secure Option Than Windows For Businesses? How Secure Is Linux? Top Tips for Securing Your Linux System
Advertise Contribute Your Article Legal Notice RSS Feeds Contact Us Terms of Service Privacy Policy
Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.
