≡ Menu

internal database

Debian Linux project released the OpenSSH security updates for computers powered by its Debian Linux operating systems. The Openssh package has remote unsafe signal handler DoS Vulnerability. It has been discovered that the signal handler implementing the login timeout in Debian's version of the OpenSSH server uses functions which are not async-signal-safe, leading to a denial of service vulnerability.

Systems affected by this issue suffer from lots of zombie sshd processes. Processes stuck with a "[net]" process title have also been observed. Over time, a sufficient number of processes may accumulate such that further login attempts are impossible. Presence of these processes does not indicate active exploitation of this vulnerability.

Package        : openssh
Vulnerability  : remote
Problem type   : unsafe signal handler
Debian-specific: no
CVE Id(s)      : CVE-2008-4109
Debian Bug     : 498678

How do I fix this problem?

Login as root and type the following commands to update the internal database, followed by corrected packages installation:
# apt-get update
# apt-get upgrade

Postfix MTA updated to fix security vulnerabilities such as incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root. This update has been rated as having moderate security impact.

All users of postfix should upgrade to these updated packages.

How do I patch Postfix under Debian / Ubuntu Linux?

First, update the internal database, enter:
# apt-get update
Install corrected Postfix package, enter:
# apt-get upgrade

How do I patch Postfix under RHEL / CentOS Linux?

Type the following command under RHEL / CentOS 5.x:
# yum update
Type the following command under RHEL <= 4.x: # up2date -u

Debian Linux project released today bug fixes for lighttpd and gaim package.

Gaim packages fix execution of arbitrary code

It was discovered that gaim, an multi-protocol instant messaging client, was vulnerable to several integer overflows in its MSN protocol handlers. These could allow a remote attacker to execute arbitrary code.

lighttpd packages fix multiple DOS issues

Several local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint.

a) lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access.

b) connections.c in lighttpd before 1.4.16 might accept more connections than the configured maximum, which allows remote attackers to cause a denial of service (failed assertion) via a large number of connection attempts.

How do I fix lighttpd and gaim security issues?

First, update the internal database, enter:
# apt-get update
Install corrected packages, enter:
# apt-get upgrade

Debian Linux has issued a security update for its dbus package which is simple interprocess messaging system for X11 and other software parts under Linux. There is privilege escalation bug i.e. it performs insufficient validation of security policies, which might allow local privilege escalation:
=> Package : dbus
=> Vulnerability : programming error
=> Problem type : local
=> Debian-specific: no
=> CVE Id(s) : CVE-2008-0595

How do I fix this bug

Type the following two commands to update the internal database, followed by actual installation of corrected package:
# apt-get update
# apt-get upgrade

Several remote vulnerabilities have been discovered in the TYPO3 content management framework.

Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, authenticated backend users could upload files that allowed to execute arbitrary code as the webserver user.

User input processed by fe_adminlib.inc is not being properly filtered to prevent Cross Site Scripting (XSS) attacks, which is exposed when specific plugins are in use.

=> Package : typo3
=> Vulnerability : several
=> Problem type : remote
=> Debian-specific: no
=> Debian Bug : 485814

Type the following command to update the internal database, install corrected packages:
# apt-get update
# apt-get upgrade