Security Linux News for Jan 24, 2001
[CORE SDI ADVISORY] Weakl authentication in ATT's VNC (Jan 24, 2001, 21:54)
"A design flaw in the client authentication mechanism permits an
attacker to obtain legit credentials from a valid client in order
to gain unauthorized access to the server."
Red Hat Security Advisory: pdated PHP packages available for Red Hat Linux 5.2, 6.x, and 7 (Jan 24, 2001, 21:16)
"Clients uploading "multipart/form-data" information with form
requests could cause PHP 3.0.17 to crash. The GD module was not
compiled into the previously-issued PHP 4.0.3pl1 errata
Red Hat Security Advisory: String format vulnerability in icecast (Jan 24, 2001, 21:07)
"A string format vulnerability that allows the execution of
arbitrary commands exists in all versions of icecast. A patch was
posted to Bugtraq to solve the problem and has been incorporated
into this update. All users of icecast should apply this
Caldera Systems Security Advisory: password sniffing in kdesu (Jan 24, 2001, 20:53)
"There is a bug in kdesu that allows any user on the system to
steal the passwords you enter at the kdesu prompt."
Debian Security Advisory: Correction: New version of wu-ftpd released (Jan 24, 2001, 20:46)
"This additional advisory only announces a recompile of the
package for the Intel ia32 architecture. The upload from yesterday
was lacking PAM support."
AsiaBizTech: HP Japan Distributes Computer Virus from Web Site; Cause is Lax Linux Security (Jan 24, 2001, 18:38)
"In a Linux environment, there is no software tool that is
capable of automatically checking for viruses on writing files and,
therefore, we could not prevent the virus from infecting files," an
HP Japan official said."
ZDNet: Virus patches aren't being applied (Jan 24, 2001, 16:43)
"Exploiting a flaw in Washington University's FTP server, the
intruder had cracked the server's security and set up shop. Hall's
system--in this case, Red Hat 6.2--shipped with the software that
contained the hole. While a patch for the vulnerability was readily
available on Red Hat's Web site, like many other system
administrators, Hall just didn't get around to installing it."
Security Portal: Computer Crime Investigator's Toolkit: Part IV - Slack Files and Cryptography (Jan 24, 2001, 08:13)
"The average computer sleuth, though, does not have to know the
inner workings of designing cryptographic algorithms. But, he or
she does need to know the difference between simple and complex