[Full-disclosure] [ MDVSA-2011:157 ] freetype2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:157 http://www.mandriva.com/security/

[Full-disclosure] [ MDVSA-2011:158 ] phpmyadmin

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2011:158 http://www.mandriva.com/security/

Re: [Full-disclosure] [SECURITY][GNAA 1488-1] slimhttpd security-update

Had to giggle when I saw it yesterday. ALMOST got nimped too at that,... On Thu, Oct 20, 2011 at 9:33 PM, xD 0x41 sec...@gmail.com wrote: eep yep sorry but i had a chuckle :P lol. On 21 October 2011 02:09, Laurelai laure...@oneechan.org wrote: On 10/19/2011 06:47 PM, N Za wrote:

Re: [Full-disclosure] [SECURITY][GNAA 1488-1] slimhttpd security-update

On Thu, 20 Oct 2011 10:09:07 CDT, Laurelai said: Did any of the other channers on the list laugh uncontrollably at this? .eu addresses for an of America was a nice subtle touch. ;) pgp9pOMpAnUlp.pgp Description: PGP signature ___ Full-Disclosure -

[Full-disclosure] TeamSHATTER Security Advisory: Buffer Overflow in Oracle Database (CTXSYS.DRVDISP.TABLEFUNC_ASOWN function)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 TeamSHATTER Security Advisory October 20, 2011 Risk Level: Medium Affected versions: Oracle Database Server version 10gR1, 10gR2 and 11gR1 Remote exploitable: Yes (Authentication to Database Server is needed) Credits: This vulnerability was

[Full-disclosure] TeamSHATTER Security Advisory: Database Vault Account Management Vulnerabilites

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 TeamSHATTER Security Advisory October 20, 2011 Risk Level: Medium Affected versions: Oracle Database Server version 10gR2, 11gR1 and 11gR2 Remote exploitable: Yes Credits: This vulnerability was discovered and researched by Esteban Martinez Fayo

[Full-disclosure] TeamSHATTER Security Advisory: SQL Injection Vulnerability in Oracle DROP INDEX for spatial datatypes

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 TeamSHATTER Security Advisory October 20, 2011 Risk Level: High Affected versions: Oracle Database Server version 10gR1, 10gR2, 11gR1 and 11gR2 Remote exploitable: No Credits: This vulnerability was discovered and researched by Martin Rakhmanov

Re: [Full-disclosure] Google Chrome pkcs11.txt File Planting

For what it's worth, I found this article to be far more matter of fact in regard to the general concept, the existing (default) conditions in play, and the conditions which need to be in place (or manipulated) in order for this to be exploited than some of the other material your company has

[Full-disclosure] [ GLSA 201110-14 ] D-Bus: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - -

[Full-disclosure] Google Chrome PoC

To fuzz Opera the hole time is boring, so i fuzzed Google Chrome. ;) October 22, 2011 Ohh nice! What u doing google? Thx 4 ur bug! 0__o Google Chrome PoC, killing thread. Exploitable or only a DOS!? Found no way to exploit it. Good Luck!!! Testsystem: WinXP SP3, Win7(64 bit) Google Chrome

[Full-disclosure] Symlink vulnerabilities

After seeing an advisory for symlink attacks in ubuntu and opensuse: http://people.canonical.com/~ubuntu-security/cve/2009/CVE-2009-1297.html Which I thought people really didn't care too much about anymore, I took a quick look at one of my ubuntu 8.04lts boxes: /sbin/iscsi_discovery:

Re: [Full-disclosure] Symlink vulnerabilities

On Fri, 21 Oct 2011 19:59:59 EDT, b...@fbi.dhs.org said: Which I thought people really didn't care too much about anymore, I took a quick look at one of my ubuntu 8.04lts boxes: These are so easy to fix/avoid, I don't know why developers are still introducing them to their code. It's

[Full-disclosure] [ GLSA 201110-15 ] GnuPG: User-assisted execution of arbitrary code

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - -

[Full-disclosure] [ GLSA 201110-16 ] Cyrus IMAP Server: Multiple vulnerabilities

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - -

Re: [Full-disclosure] Symlink vulnerabilities

In any case, the *right* answer isn't to play whack-a-mole fixing /tmp races, what you should be doing is using pam_namespace or similar so each user gets their own /tmp namespace. That would result in counterintuitive behavior, I suppose... /tmp is a fairly stupid and largely unnecessary

Re: [Full-disclosure] Symlink vulnerabilities

If you are in charge of a distro, it would not hurt to nuke it altogether and change all packages in your control to use per-user $TMPDIR. Some third-party stuff will break - but it breaks every now and then anyway. Excellent suggestion, and you've piqued my curiosity. What distros exist that

Re: [Full-disclosure] Symlink vulnerabilities

On 22 October 2011 15:39, Michal Zalewski lcam...@coredump.cx wrote: In any case, the *right* answer isn't to play whack-a-mole fixing /tmp races, what you should be doing is using pam_namespace or similar so each user gets their own /tmp namespace. That would result in counterintuitive

Re: [Full-disclosure] Symlink vulnerabilities

On Sat, 22 Oct 2011 01:23:34 EDT, Byron Sonne said: If you are in charge of a distro, it would not hurt to nuke it altogether and change all packages in your control to use per-user $TMPDIR. Some third-party stuff will break - but it breaks every now and then anyway. Excellent