June 20, 2001
Mandrake MDKSA-2001:056 tcpdump update - A number of remote buffer overflows were discovered in the tcpdump package that would allow a remote attack of the local tcpdump process. Intrusion detection using tcpdump would no longer be useful due to the attack stoping all network activity on the system. As well, this new version of tcpdump fixes the vulnerability with decoding AFS ACL packets which would allow a remote attacker to run arbitrary code on the local system with root privilege.
Mandrake MDKSA-2001:057 proftpd - Clarifying that the Cert advisory recently released with incorrect management of buffers due to glob() function does not pertain to proftpd on the Linux platform.
Mandrake MDKSA-2001:058 ispell - The ispell program uses mktemp() to open temporary files. This makes it vulnerable to symlink attacks. The program now has a patch from OpenBSD applied that uses mkstemp() instead, and switches gets() to fgets() for dealing with user input.
Mandrake MDKSA-2001:059 webmin - Recently, Caldera found that when webmin starts a system daemon from the web frontend it does not clear its environment variables. Since these variables contain the authorization of the administrator, any daemon would also get these variables.
Mandrake MDKSA-2001:060 rxvt - Samuel Dralet discovered a vulnerability in the rxvt terminal emulator recently, concerning a buffer overflow in the command.c file. This overflow can be exploited to provide elevated privileges on the system if rxvt is installed setgid. Because rxvt has never been installed setgid on any Mandrake Linux system, Mandrake Linux is not vulnerable to the problem.
June 19, 2001
CERT Advisory CA-2001-13 - Buffer Overflow In IIS Indexing Service DLL
Conectiva CLA-2001:403 - Wolfram Kleff reported  that fetchmail would segfault when receiving emails with large "To:" headers. This was due to a buffer overflow in the header parser and it could be exploited remotely.
Conectiva CLA-2001:404 - Two security fixes for xinetd
Redhat RHSA-2001:077-05 - LPRng fails to drop supplemental group membership.
June 18, 2001
Mandrake MDKSA-2001:046-2 (Update) - A problem exists with the kdesu component of kdelibs. It created a world-readable temporary file to exchange authentication information and delete it shortly after. This can be abused by a local user to gain access to the X server and could result in a compromise of the account that kdesu would access.
Microsoft MS01-033 - Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise
June 17, 2001
Debian Security Advisory DSA-063-1 - zen-parse reported on bugtraq that there is a possible buffer overflow in the logging code from xinetd. This could be triggered by using a fake identd that returns special replies when xinetd does an ident request.
Another problem is that xinetd sets it umask to 0. As a result any programs that xinetd start that are not careful with file permissions will create world-writable files.
June 16, 2001
Debian Security Advisory DSA-060-1 - Wolfram Kleff found a problem in fetchmail: it would crash when processing emails with extremely long headers. The problem was a buffer overflow in the header parser which could be exploited.
Debian Security Advisory DSA-061-1 - fish stiqz reported on bugtraq that there was a printf format problem in the do_get() function: it printed a prompt which included the filename that was being decrypted without checking for possible printf format attacks. This could be exploited by tricking someone into decrypting a file with a specially crafted filename.
The second bug is related to importing secret keys: when gnupg imported a secret key it would immediately make the associated public key fully trusted which changes your web of trust without asking for a confirmation. To fix this you now need a special option to import a secret key.
Debian Security Advisory DSA-062-1 - Samuel Dralet reported on bugtraq that version 2.6.2 of rxvt (a VT102 terminal emulator for X) have a buffer overflow in the tt_printf() function. A local user could abuse this making rxvt print a special string using that function, for example by using the -T or -name command-line options. That string would cause a stack overflow and contain code which rxvt will execute.
Since rxvt is installed sgid utmp an attacker could use this to gain utmp which would allow him to modify the utmp file.
June 13, 2001
Conectiva CLA-2001:402 - Format string vulnerability in exim
Mandrake MDKSA-2001:056 - A number of remote buffer overflows were discovered in the tcpdump package that would allow a remote attack of the local tcpdump process. Intrusion detection using tcpdump would no longer be useful due to the attack stoping all network activity on the system. As well, this new version of tcpdump fixes the vulnerability with decoding AFS ACL packets which would allow a remote attacker to run arbitrary code on the local system with root privilege.
Microsoft MS01-030 Version 3.0 - Incorrect Attachment Handling in Exchange OWA Can Execute Script
June 12, 2001
Debian Security Advisory DSA-059-1 - Luki R. reported a bug in man-db: it did handle nested calls of drop_effective_privs() and regain_effective_privs() correctly which would cause it to regain privileges to early. This could be abused to make man create files as user man.
Microsoft MS01-032 - SQL Query Method Enables Cached Administrator Connection to be Reused.
Redhat RHSA-2001:073-04 - discovered format string in gnupg
Redhat RHSA-2001:074-03 - The ispell program uses mktemp() to open temporary files - this makes it vulnerable to symlink attacks.
Redhat RHSA-2001:075-04 -Xinetd runs with umask 0 - this means that applications using the xinetd umask and not setting the permissions themselves (like swat from the samba package), will create world writable files.
June 11, 2001
Mandrake MDKSA-2001:054 - Several buffer overflow vulnerabilities have been found in the UW-IMAP package by the authors and independant groups. These vulnerabilities can be exploited only once a user has authenticated which limits the extent of the vulnerability to a remote shell with that user's permissions.
Mandrake MDKSA-2001:055 - A bug exists in xinetd as shipped with Mandrake Linux 8.0 dealing with TCP connections with the WAIT state that prevents linuxconf-web from working properly. As well, xinetd contains a security flaw in which it defaults to a umask of 0. This means that applications using the xinetd umask that do not set permissions themselves (like SWAT, a web configuration tool for Samba), will create world writable files.
June 9, 2001
Debian Security Advisory DSA-058-1 - Megyer Laszlo found a printf format bug in the exim mail transfer agent. The code that checks the header syntax of an email logs an error without protecting itself against printf format attacks.
Microsoft MS01-030 Version 2.0 - Incorrect Attachment Handling in Exchange OWA Can Execute Script
June 8, 2001
Microsoft MS01-031 - Predictable Name Pipes Could Enable Privilege Elevation via Telnet
June 7, 2001
CONECTIVA CLA-2001:399 - Fix for two gnupg vulnerabilities
Microsoft MS01-030 - Incorrect Attachment Handling in Exchange 2000 OWA Can Execute Script.
June 4, 2001
FreeBSD-SA-01:40 - fts(3) routines contain race condition [REVISED]
June 3, 2001
SuSE SA:2001:020 - A format string vulnerability allowing local privilege escalation in versions of GnuPG before 1.0.6 has been found.