Security Linux News for Mar 09, 2001
Debian Security Advisory: New Zope packages available (Mar 09, 2001, 21:31)
"This advisory covers several vulnerabilities in Zope that have
Zope SECURITY ALERT and Zope hotfix release (Mar 09, 2001, 21:28)
"A recent change to the access validation machinery made this
bug begin to affect security restrictions. The bug, with the change
to validation, made it possible to access Zope objects via
acquisition that a user would not otherwise have access to."
Debian Security Advisory: New XEmacs and gnuserv packages available (Mar 09, 2001, 20:42)
"Klaus Frank has found a vulnerability in the way gnuserv
handled remote connections....Gnuserv was derived from emacsserver
which is part of GNU Emacs."
LinuxSecurity.com: Linux Advisory Watch - March 9th 2001 (Mar 09, 2001, 07:46)
"Debian, Debian, Debian! If your using Debian, its time to
update. 13 Debian advisories were just recently released."
SANS Institute: Alert: Large Criminal Hacker Attack on Windows NT E-Banking and E-Commerce Sites (Mar 09, 2001, 07:31)
"In the largest criminal Internet attack to date, a group of
Eastern European hackers has spent a year systematically exploiting
known Windows NT vulnerabilities to steal customer data. More than
a million credit cards have been taken and more than 40 sites have
Debian Security Advisory: joe local attack via joerc (Mar 09, 2001, 07:16)
"An attacker can leave a .joerc file in a writable directory,
which would be read when a unsuspecting user starts joe in that
Debian Security Advisory: slrn buffer overflow (Mar 09, 2001, 01:02)
"Bill Nottingham reported a problem in the wrapping/unwrapping
functions of the slrn newsreader. A long header in a message might
overflow a buffer and which could result into executing arbitraty
code encoded in the message."
Debian Security Advisory: proftp runs as root, /var symlink removal (Mar 09, 2001, 00:44)
"This is an update to the DSA-032-1 advisory. The powerpc
package that was listed in that advisory was unfortunately compiled
on the wrong system which caused it to not work on a Debian
GNU/Linux 2.2 system."
Debian Security Advisory: proftp runs as root, /var symlink removal (Mar 07, 2001, 08:04)
"There is a configuration error in the postinst script, when the
user enters 'yes', when asked if anonymous access should be
enabled....There is a bug that comes up when /var is a symlink, and
proftpd is restarted."