-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Linux-Mandrake Security Update Advisory
Package name: proftpd
Date:
On Thu, Feb 08, 2001 at 02:52:45PM -0800, Greg KH wrote:
Chris Evans has discovered a security problem in the kernel select()
This should have read "sysctl()". Sorry for any confusion.
greg k-h
--
greg@(kroah|wirex).com
http://immunix.org/~greg
PGP signature
AOLserver v3.2 is a web server available from http://www.aolserver.com.
A vulnerability exists which allows a remote user user to break out of the
web root using relative paths (ie: '...').
AOLserver v3.2 on Linux (RH 6.0) does not appear to be vulnerable.
OS-dependent code?
I've only tested this with version 4.0 of the Palm
Desktop software.
Palm allows you set a password on the desktop
software. Without a password you are not able to
view the data.
There is a way to bypass and get rid of the
desktop password.
On an existing Palm Desktop make sure the
hi,
When Michal Zalewski found bug in ssh, most people tried to reinstall
their ssh. They usualy install openssh 2.3.0 or higher, or ssh2.com
Well, it could not be the best fix using openssh client 2.3.0p1 (i dont
check other ver.).
I've compile it from sources, so look at it:
On Wednesday, February 07, 2001, 11:15:48 PM, I wrote:
I believe ISC is still investigating this. Haven't heard from the
FreeBSD people yet, altough they were the first I reported this to...
In the meantime, I was informed by Doug Barton (who maintains the Bind
port in FreeBSD) that
v3.1 seems to be safe. The password is requested @ the splashscreen, before
the rest of the interface loads. Alt-F does nothing, and Alt-H brings up
help, which explains what a password is. NOTE: This may be a modified
version. It's the updated Handsping Visor version, but it still has the Palm
Hello,
Yet another error in the advisory released last Wednesday.
- Original Message -
From: "Ivn Arce" [EMAIL PROTECTED]
Newsgroups: core.lists.bugtraq
To: [EMAIL PROTECTED]
Sent: Wednesday, February 07, 2001 6:25 PM
Subject: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability
jose nazario [EMAIL PROTECTED] writes:
- debug("Rhosts authentication failed for '%.100s', remote '%.100s', host
'%.200s'.",
+ log_msg("Rhosts authentication failed for '%.100s', remote '%.100s', host
'%.200s'.",
user, client_user,
Hi,
OVERVIEW
There exists a Linux system call sysctl() which is used to query and
modify runtime system settings. Unprivileged users are permitted to query
the value of many of these settings.
The unprivileged user passes in a buffer location and the length of this
buffer. Unfortunately, by
Here's a paper about Advanced remote OS detection with a focus on its
implementation in Perl.
-- f0bic.
--
lowlevel - network coding/network security
http://www.low-level.net - [EMAIL PROTECTED]
--
Hi @ll
the attached script will create suid man shell on vulnerable systems
(man -l bug).
ihq.
manexpl.sh
* Tomasz Kuniar wrote:
Ssh client is suid, so it could be real problem. Must check source...
SUID is only needed when using rhosts or rshost-rsa authentication.
Many installations don't need it. Just set this option [taken from man ssh]:
UsePrivilegedPort
Specifies
On Thu, Feb 08, 2001 at 06:03:00PM -0500, [EMAIL PROTECTED] wrote:
Thanks to Solar Designer for finding the sysctl bug, and
for the versions of the sysctl and ptrace patches we used.
Thanks for crediting me, but actually it's Chris Evans who found the
sysctl bug that affects Linux 2.2. I only
_
Security Advisory:Lotus Notes Stored Form Vulnerability
Date: 8th February 2001
Author: Chris Jones (aka dp) [EMAIL PROTECTED]
Versions Affected:At present only Lotus
http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm
includes the line of code:
kill(SIGALRM, getppid());
This is contained within what is listed as an "unsupported and
untested patch" developed by SSH.com.
The problem is that the arguments to "kill" are in the wrong order. In
16 matches
Mail list logo