“Vendors are playing catch-up this week – several major
things, even more minor things. Ncurses has some buffer
overflows that might allow an attacker to gain extra privileges, if
the program using it is setuid. Tmpwatch has a bug that allows
attackers to execute a denial of service, and in some cases
possibly get a root shell. Big Brother can be tricked into running
shell commands; cfengine has some problems in syslog calls that can
be used to run commands as the user cfengine runs as (usually
root); and Boa Web server has a file disclosure vulnerability.”
“We lead off with general advisories and exploit code, then move
to vendor advisories. Most items appear in alphabetical order. If
we’re missing a Linux vendor’s advisory, please tell us – ditto for
any Linux-related security alerts. The long strings of hex in front
of package names are MD5 signatures.”