Security Linux News for Dec 20, 2000
Trustix Security Advisory - gnupg, ftpd-BSD (Dec 20, 2000, 22:38)
"Today we updated gnupg and ftpd-BSD. All versions of Trustix
Secure Linux are affected."
Red Hat Security Advisory: Zope Hotfix package available (Dec 20, 2000, 21:53)
"The issue involves incorrect protection of a data updating
method on Image and File objects. Because the method was not
correctly protected, it was possible for users with DTML editing
privileges to update the raw data of aprivileges File or Image
object via DTML, though they did not have editing on the objects
Trustix Security Advisory - stunnel (Dec 20, 2000, 21:35)
"The hole is a plain old "format bug in wrongly written syslog()
call", which could probably yield remote root under the right
Red Hat Security Advisory: Updated rp-pppoe packages fixing denial of service attack are available (Dec 20, 2000, 21:30)
"Bad TCP packets (e.g. a SYN packet with kind=3, len=0) over a
PPP-over-Ethernet link could lock up rp-pppoe."
Debian Security Advisory: insufficient protection for zope Image and File objects (Dec 20, 2000, 20:04)
"A busy week for the Zope team: on Monday another security alert
was released revealing a potential problem found by Peter Kelly.
This problem involved incorrect protection of data updating for
Image and File objects: any user with DTML editing privileges could
update the File or Image object data directly."
Red Hat Security Advisory: Updated gnupg packages now available (Dec 20, 2000, 07:45)
"When importing keys from public key servers, GnuPG will import
private keys (also known as secret keys) in addition to public
keys. If this happens, the user's web of trust becomes corrupted.
Additionally, when used to check detached signatures, if the data
file being checked contained clearsigned data, GnuPG would not warn
the user if the detached signature was incorrect."
Red Hat Security Advisory: New slocate packages available to fix local group slocate compromise (Dec 20, 2000, 07:39)
"New slocate packages are availble for Red Hat Linux 6.x and Red
Hat Linux 7. These fix a problem with the database parsing code in
slocate. (slocate was not shipped with Red Hat Linux prior to
version 6.0, so earlier versions are not affected.)"