-
Red Hat, Inc. Red Hat Security Advisory
Synopsis: New updated XFree86 packages available
Advisory ID: RHSA-2001:071-05
Issue date:2001-05-24
Updated on:2001-06-22
Product:
> * Bob can abuse the secure e-mail protocol to re-encrypt
>and resend Alice's message to Charlie;
This is abuse of the order in which signing and encryption take place - ie
encrypt(sign(message))
this implies you can extract sign(message) from the outer envelope, and then
send recrypt(sign(
The presented attacks look like a hybrid of replay and man in the middle
attacks known for years. I do agree that problems are real and I am
looking forward to reading your paper.
Let me fatasize as to how this can be solved in PGP. One
can include the key id of the intended recepient into the s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
Caldera International, Inc. Security Advisory
Subject:buffer overflow in fetchmail
Advisory number:CSSA-2001-022.0
Issue date:
-
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Kernel: FTP iptables vulnerability in 2.4 kernel and general bug
fixes
Advisory ID: RHSA-2001:084-03
Issue date:2001-06-21
Updated on:
___
Caldera Systems, Inc. Security Advisory
Subject:curses library, rtpm, atcronsh
Advisory number:CSSA-2001-SCO.1
Issue date: 2001 June, 22
Cross reference:
_
I have been working with the people of SurfControl for
a couple of weeks now and all they say is that they
will submit it as a bug in the software and try to get
a fix out in the next couple of months. So here goes
.
You can bypass the software by using a proxy sever
before your traffic i
Hi,
Within minutes of Microsoft posting the bulletin on their site, my mailbox
was swamped with emails from people asking the same two questions. I am
therefore forwarding the below email (minus the sample document!) to the
BugTraq mailing list to reach a wide audience and answer the two que
- Forwarded message from AIX Service Mail Server <[EMAIL PROTECTED]> -
This file contains security alerts published by the IBM Emergency Response
Service. These alerts are published at the following URL on the world-wide
web:
http://www.ers.ibm.com/
In order to keep the size of this
Hi,
Does anybody know why openssh (openssh-2.9p1) on a linux system does not call
pam_open_session if no pty is used? In this way the session modules (in
/etc/pam.d) are not activated.
This is espacially anoying if you
use pam_limits.so to set rlimits. Every user could
cirrcumvent them easily by
Hi ppl,
the subject already states the problem: there is a symlink follow
problem in the (in many distributions suid root) ktvision binary <=
0.1.1-271.
It is discouraging that nowadays such trivial symlink attacks are still
possible. No comment anymore. In order to be complete: a bash script
de
I'm going to try and throw another issue into this discussion now too:
denial of service. We have discussed it for attacking remote servers, but
not for the client viewing the image. It's something else that I spotted
while I was playing around with this issue just now.
If you have images that in
Lincoln Yeoh wrote:
>
> And if Microsoft Word becomes very intertwined with IE (word uses IE to
> fetch stuff) then word documents with image/object links will also be an
> issue. Mix well and add a few macros to taste ;).
>
While MS is the big wide target, it isn't just them that need to worry.
On Tue, 19 Jun 2001, Peter W wrote:
> On Tue, Jun 19, 2001 at 03:44:10PM +0200, Henrik Nordstrom wrote:
> > [EMAIL PROTECTED] wrote:
> >
> > > Folks are missing the point on the Referer check that I suggested.
> >
> > I intentionally selected to not go down that path in my message as there
> >
"Mayers, Philip J" <[EMAIL PROTECTED]> said:
> That's great - but did you even *bother* to check if the update works on
> RedHat 7.0?
>
> *Wonderful* - you've shipped an update that no-one can apply, unless they
> update their OpenSSL package (an update you don't provide). Doubtless you
> buil
>
If i remeber correctly arent the lucent access point products root/snmp write
and read access products passwd "public" ? I think you need to enable snmp on
the lucent box though... you can user their windows client and plug in
"public" and your in...
Matt
>
In testing the recent obsd exploit by Georgi Guninski out, I have found out
that my OpenBSD 2.8 box was not vulnerable. I have come to the conclusion
that those boxes with the stephanie kernel patches by Mike Schiffman and doe
are not vulnerable to this exploit, at least without modifying the expl
Hi,
I sent this mail 2 weeks ago, but still didn't receive a reply.
Neither did the cfingerd authors change anything on their
site (http://www.infodrom.ffis.de/projects/cfingerd/).
So I will do my duty and report this on bugtraq.
I didn't check versions prior to cfingerd 1.4.3, but I suppose the
On Thu, Jun 21, 2001 at 10:55:48AM -0400, Larry W. Cashdollar wrote:
>
> This has circulated on vuln-dev not sure if it made it here yet. Vendor
> has been notified and released a fixed version 2.1.11.
>
> My exploit:
> http://vapid.dhs.org/ntping_exp.c
>
> There is a much better exploit ou
Hi,
Quoting Jim Knoble ([EMAIL PROTECTED]):
> Some information in English is available here:
> http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200106.month/536.html
> Can anyone confirm that the patch there is appropriate?
The patch there is appropriate.
Greets,
Robert
--
On Thu 2001-06-21 (12:13), Jim Knoble wrote:
> Some information in English is available here:
>
> http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200106.month/536.html
>
> Can anyone confirm that the patch there is appropriate?
I asked Fumitoshi UKAI (Debian's w3m maintainer), he pointed me to
Bugtraq readers,
eXtremail is a free integrated pop3/smtpd mail daemon for Linux (x86), although
it is free it is closed sourced software. It has been found that the majority of the
newer versions are vulnerable to a remotely exploitable format string condition.
The following versions are confirm
All current secure-mail standards specify, as their "high-
security" option, a weak use of the public-key sign and encrypt
operations. On Thursday the 28th of this month, I'll present
my findings and my proposed repairs of the protocols, at the
Usenix Technical Conference here in Boston:
http:/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-20010001.htm
Title:
ASP source code retrieved with Unicode extension
Advisory Code:
VIGILANTE-2001001
Author:
Hack Kampbjørn
Release Date:
2001-06-22.
System
24 matches
Mail list logo