|
|
Enron Mail |
NETWORK WORLD NEWSLETTER: JASON MESERVE on
SECURITY AND BUG PATCH ALERT 01/28/02 Today's focus: Rsync flaw fixed Dear Wincenty Kaminski, In this issue: * Patches and alerts for Linux rsync, FreeBSD, Red Hat OpenLDAP, Sony Vaio, others * Viruses, including one that spreads via IRC * Behavior blocking repels new viruses, plus other interesting reading _______________________________________________________________ TECHNOLOGY INSIDER: STREAMING MEDIA Streaming media is taking off as a corporate communications and training tool. We take you behind the scenes of the technology, showing you best practices, case studies and a feature on the individual streaming media champions leading the charge. Check it out at http://nww1.com/go/ad237.html _______________________________________________________________ Today's focus: Rsync flaw fixed By Jason Meserve Today's bug patches and security alerts: * Linux vendors fix rsync vulnerability A flaw in the way rsych, a synchronization tool for Linux, uses signed and unsigned numbers could be exploited to run arbitrary code on the affected machine. For Debian users, more information and a link to the appropriate patch should be posted shortly at: http://www.debian.org/security/2002/ Red Hat: https://www.redhat.com/support/errata/RHSA-2002-018.html Conectiva: http://distro.conectiva.com.br/atualizacoes/?id=a&;anuncio=000458 EnGarde: http://www.linuxsecurity.com/advisories/other_advisory-1853.html SuSE: http://lists2.suse.com/archive/suse-security-announce/2002-Jan/0003.html * Problem found in FreeBSD kernel A flaw in the FreeBSD kernel's exec system could lead to a race condition. A malicious user could attach a debugger to the process to exploit the flaw and potentially gain root access. For more, go to: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:08.exec.asc * Red Hat patches OpenLDAP According to an alert from Red Hat, versions of OpenLDAP from 2.0.0 through 2.0.19 do not check permissions using access control lists when a user attempts to remove an attribute from an object in the directory by replacing its values with an empty list. Because schema checking is still enforced, a user can only remove attributes, which the schema does not require the object to possess. For more, go to: https://www.redhat.com/support/errata/RHSA-2002-014.html * Update Red Hat Kernel 2.4 available Red Hat has updated Version 2.4 of its Linux kernel to fix a number of flaws that have been reported. For more, go to: https://www.redhat.com/support/errata/RHSA-2002-007.html * Caldera patches OpenServer setcontext and sysi86 vulnerabilities A host of vulnerabilities in SCO OpenServer 5.0.6 and previous releases could break certain applications. This fix could cause some problems with other applications, however. Stay tuned to the Caldera support pages for updated information. For more, go to: ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.35.2/ * Caldera patches sort The sort command in OpenUnix and UnixWare 7 creates insecure temporary files that could be exploited to gain elevated user privileges. Download the patch from: ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.2/ * Flaw found in Sony Vaio A problem with pre-installed software on the Sony Vaio line of computers could allow a malicious user to access the affected machine via the Internet. The flaw is found in Versions 3.0 and 3.1 of Vaio Manual. The attacker could use a Web page or HTML- formatted e-mail message to trigger the attack. For more information and to download a patch: http://vcl.vaio.sony.co.jp/Security/english/tecinfo.html * Flaw in Plumtree corporate portal A cross-scripting vulnerability exists in multiple versions of the Plumtree corporate portal. A malicious user could use JavaScript embedded in a Web page to exploit the flaw and cause the server to expose sensitive information. A patch is available from the Plumtree support site: http://www.plumtree.com/company/technical_support.htm * CERT issues warning on AOL ICQ AOL's ICQ client has a similar problem to its sister product AOL Instant Messenger. The Games and Video chat request feature can be exploited to run arbitrary code on the affected user's machine. For more, go to: http://www.cert.org/advisories/CA-2002-02.html Story: http://www.nwfusion.com/news/2002/0125icq.html Today's roundup of virus alerts: * VBS/JeremyO - A VBS virus that spreads via IRC. Once infected, a machine attempts to spread the virus to every other user that connects to the same IRC channel. (Panda Software) * W97M/Myak - A nasty Word macro virus that attempts to delete certain files on the infected machine. If it doesn't find them, it adds lines to the autoexec.bat to look for the files each time the system is booted. On July 8, the virus attempts to delete the hard drive. (Panda Software) * WM97/Falcon-A - A Word macro virus that disables access to the Visual Basic Editor. (Sophos) <From the interesting reading department: * Behavior blocking repels new viruses The future of computer viruses seems clear enough: ever more destructive "hybrid worms" that take advantage of software vulnerabilities and destroy files, leave behind holes for hackers to exploit, then scan for new victims at lightning speed. http://www.nwfusion.com/news/2002/0128antivirus.html Network World, 01/28/02 * Hybrid worms are hard to hook Hundreds of brand-new computer viruses appeared out of the Internet ether last year, but the Code Red and Nimda "hybrid worms" that struck last summer proved to be among the most dangerous and hard to combat with traditional antivirus methods. http://www.nwfusion.com/news/2002/129553_01-28-2002.html Network World, 01/28/02 * Archives online It's not lunch, dinner or breakfast for that matter, but it is free. Visit our newsletter archive at: http://www.nwfusion.com/newsletters/bug/index.html _______________________________________________________________ To contact Jason Meserve: Jason Meserve is the Multimedia Editor of Network World Fusion and writes about streaming media, search engines and IP Multicast. Jason can be reached at mailto:jmeserve@nww.com. _______________________________________________________________ NW Fusion's Buy IT provides the resources you need to make better buying decisions. Post your IT needs anonymously and FREE! Search our directory of qualified providers, review company White Papers, and select the right provider. Buy IT helps get your projects done right. Try it today! http://nwfusion.newmediary.com/nww120601nwltrb _______________________________________________________________ FEATURED READER RESOURCE Network World Fusion's Net.Worker site Whether your company is growing larger or scaling back, corporate managers are looking for ways to cut costs while retaining and recruiting star employees. One smart solution - at least on paper - is to let some employees work from home. Network World's Net.Worker Web site bridges the gap between the telework concept and the hardware, software and services needed to make it happen. We bring you news and reviews, sound advice and keen insight into the technologies and solutions you need to manage a remote and mobile workforce. Visit http://www.nwfusion.com/net.worker/index.html _______________________________________________________________ May We Send You a Free Print Subscription? You've got the technology snapshot of your choice delivered at your fingertips each day. Now, extend your knowledge by receiving 51 FREE issues to our print publication. Apply today at http://www.nwwsubscribe.com/nl _______________________________________________________________ SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World e-mail newsletters, go to: http://www.nwwsubscribe.com/news/scripts/notprinteditnews.asp To unsubscribe from promotional e-mail go to: http://www.nwwsubscribe.com/ep To change your e-mail address, go to: http://www.nwwsubscribe.com/news/scripts/changeemail.asp Subscription questions? Contact Customer Service by replying to this message. Have editorial comments? Write Jeff Caruso, Newsletter Editor, at: mailto:jcaruso@nww.com For advertising information, write Jamie Kalbach, Director of Online Sales, at: mailto:jkalbach@nww.com Copyright Network World, Inc., 2002 ------------------------ This message was sent to: vkamins@enron.com
|