-BEGIN PGP SIGNED MESSAGE-
Linux-Mandrake Security Update Advisory
Package name: proftpd
On Thu, Feb 08, 2001 at 02:52:45PM -0800, Greg KH wrote:
Chris Evans has discovered a security problem in the kernel select()
This should have read "sysctl()". Sorry for any confusion.
I discovered all versions of
buffer overflow vulnerabilities in
CTRLServer.These holes is NOT same as
APOP,USER command buffer overflow vulnerability
this problem allows a remote attacker to execute
-BEGIN PGP SIGNED MESSAGE-
Smoothwall Security Advisory SSA-0902-1
February 9th 2001
AOLserver v3.2 is a web server available from http://www.aolserver.com.
A vulnerability exists which allows a remote user user to break out of the
web root using relative paths (ie: '...').
AOLserver v3.2 on Linux (RH 6.0) does not appear to be vulnerable.
I've only tested this with version 4.0 of the Palm
Palm allows you set a password on the desktop
software. Without a password you are not able to
view the data.
There is a way to bypass and get rid of the
On an existing Palm Desktop make sure the
When Michal Zalewski found bug in ssh, most people tried to reinstall
their ssh. They usualy install openssh 2.3.0 or higher, or ssh2.com
Well, it could not be the best fix using openssh client 2.3.0p1 (i dont
check other ver.).
I've compile it from sources, so look at it:
On Wednesday, February 07, 2001, 11:15:48 PM, I wrote:
I believe ISC is still investigating this. Haven't heard from the
FreeBSD people yet, altough they were the first I reported this to...
In the meantime, I was informed by Doug Barton (who maintains the Bind
port in FreeBSD) that
v3.1 seems to be safe. The password is requested @ the splashscreen, before
the rest of the interface loads. Alt-F does nothing, and Alt-H brings up
help, which explains what a password is. NOTE: This may be a modified
version. It's the updated Handsping Visor version, but it still has the Palm
Yet another error in the advisory released last Wednesday.
- Original Message -
From: "Ivn Arce" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, February 07, 2001 6:25 PM
Subject: [CORE SDI ADVISORY] SSH1 session key recovery vulnerability
jose nazario [EMAIL PROTECTED] writes:
- debug("Rhosts authentication failed for '%.100s', remote '%.100s', host
+ log_msg("Rhosts authentication failed for '%.100s', remote '%.100s', host
There exists a Linux system call sysctl() which is used to query and
modify runtime system settings. Unprivileged users are permitted to query
the value of many of these settings.
The unprivileged user passes in a buffer location and the length of this
buffer. Unfortunately, by
Here's a paper about Advanced remote OS detection with a focus on its
implementation in Perl.
lowlevel - network coding/network security
http://www.low-level.net - [EMAIL PROTECTED]
the attached script will create suid man shell on vulnerable systems
(man -l bug).
* Tomasz Kuniar wrote:
Ssh client is suid, so it could be real problem. Must check source...
SUID is only needed when using rhosts or rshost-rsa authentication.
Many installations don't need it. Just set this option [taken from man ssh]:
On Thu, Feb 08, 2001 at 06:03:00PM -0500, [EMAIL PROTECTED] wrote:
Thanks to Solar Designer for finding the sysctl bug, and
for the versions of the sysctl and ptrace patches we used.
Thanks for crediting me, but actually it's Chris Evans who found the
sysctl bug that affects Linux 2.2. I only
Security Advisory:Lotus Notes Stored Form Vulnerability
Date: 8th February 2001
Author: Chris Jones (aka dp) [EMAIL PROTECTED]
Versions Affected:At present only Lotus
includes the line of code:
This is contained within what is listed as an "unsupported and
untested patch" developed by SSH.com.
The problem is that the arguments to "kill" are in the wrong order. In
Mail list logo