|
|
| Top White Papers
Current Newswire:
Advisories, May 30, 2006May 31, 2006, 04:45 (0 Talkback[s])Gentoo LinuxGentoo Linux Security Advisory GLSA 200605-16 Severity: Low SynopsisCherryPy is vulnerable to a directory traversal that could allow attackers to read arbitrary files. BackgroundCherryPy is a Python-based, object-oriented web development framework. Affected packages
Package / Vulnerable / Unaffected
1 dev-python/cherrypy < 2.1.1 >= 2.1.1 DescriptionIvo van der Wijk discovered that the "staticfilter" component of CherryPy fails to sanitize input correctly. ImpactAn attacker could exploit this flaw to obtain arbitrary files from the web server. WorkaroundThere is no known workaround at this time. ResolutionAll CherryPy users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/cherrypy-2.1.1"
References[ 1 ] CVE-2006-0847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0847 AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200605-16.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 Gentoo Linux Security Advisory GLSA 200605-17 Severity: Normal SynopsisMultiple vulnerabilities in libTIFF could lead to the execution of arbitrary code or a Denial of Service. BackgroundlibTIFF provides support for reading and manipulating TIFF images. Affected packages
Package / Vulnerable / Unaffected
1 media-libs/tiff < 3.8.1 >= 3.8.1 DescriptionMultiple vulnerabilities, ranging from integer overflows and NULL pointer dereferences to double frees, were reported in libTIFF. ImpactAn attacker could exploit these vulnerabilities by enticing a user to open a specially crafted TIFF image, possibly leading to the execution of arbitrary code or a Denial of Service. WorkaroundThere is no known workaround at this time. ResolutionAll libTIFF users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/tiff-3.8.1"
References[ 1 ] CVE-2006-0405 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0405 [ 2 ] CVE-2006-2024 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2024 [ 3 ] CVE-2006-2025 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2025 [ 4 ] CVE-2006-2026 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2026 AvailabilityThis GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200605-17.xml Concerns?Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. LicenseCopyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 Mandriva LinuxMandriva Linux Security Advisory MDKSA-2006:093 Package : dia Problem Description: A format string vulnerability in Dia allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering errors or warnings, as demonstrated via format string specifiers in a .bmp filename. NOTE: the original exploit was demonstrated through a command line argument, but there are other mechanisms inputs that are automatically process by Dia, such as a crafted .dia file. (CVE-2006-2480) Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480. (CVE-2006-2453) Packages have been patched to correct this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2453 Updated Packages: Mandriva Linux 2006.0: Mandriva Linux 2006.0/X86_64: Corporate 3.0: Corporate 3.0/X86_64: To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com Type Bits/KeyID Date User ID
0 Talkback[s]
(click to add your comment)
|
