• United States

SSL server bugs fixed

Dec 11, 20036 mins

* Patches from Oracle, Cisco, Mandrake Linux, others * Beware e-mail with the subject line: "When It's Cold Outside She Gives Me Warm Inside" * No Christmas patches from Microsoft, and other interesting reading

Network World needs your help. We’re looking for the weirdest, most wild, descriptive and/or silly network product name you’ve come across. Got one to share? Fill out this short form and you could win a fabulous Network World prize:

Network World needs your help. We’re looking for the weirdest, most wild, descriptive and/or silly network product name you’ve come across. Got one to share? Fill out this short form and you could win a fabulous Network World prize:

Today’s bug patches and security alerts:

Oracle patches SSL server bugs

Oracle has issued a security alert and software patches for a set of serious vulnerabilities in the security protocols used by some of its server products. IDG News Service, 12/09/03.

SGI patches OpenSSL flaw:


Cisco patches ACNS vulnerability

According to an alert from Cisco, “By entering an overly long password, it may be possible to execute arbitrary code on a vulnerable device. This vulnerability affects all devices and hardware modules that are running ACNS software releases prior to 4.2.11 and 5.0.5. The workaround is to disable the CE GUI server.” For more, go to:

Cisco warns of Unity vulnerabilities on IBM-based servers

Default installations of Cisco Unity running on IBM servers contain default user accounts and passwords that could be used to compromise the system. Only IBM servers running Unity are affected. For more, go to:


IE glitch gives spoofers powerful tool

A newly discovered vulnerability in Microsoft’s Internet Explorer browser could be a powerful new tool for scammers, allowing them to convincingly mask the real origin of Web pages used to trick targets into revealing sensitive information. IDG News Service, 12/10/03.

An illustration of the problem can be found here:


Yahoo fixes e-mail service security flaw

Yahoo has fixed a flaw in its Web-based e-mail service that exposed Yahoo Mail users to serious attacks, including potential interception of personal data, security company Finjan Software said Wednesday. IDG News Service, 12/10/03.


New gnupg fixes available

A flaw in the way gnupg deals with type 20 ElGamal sign+encrypt keys could allow for an unauthorized user to recover private keys from a signature. For more, go to:


Red Hat:



SGI releases Advanced Linux Environment security update #6

According to an advisory from SGI, “SGI has released Patch 10037: SGI Advanced Linux Environment security update #6, which includes updated RPMs for SGI ProPack v2.3 for the Altix family of systems.” For more, go to:


Mandrake Linux patches cvs

A flaw in versions of the cvs server prior to 1.11.10 could be exploited to create directories and files at the root level of the affected machine. For more, go to:

Mandrake Linux updates screen

A buffer overflow has been found in Mandrake Linux’s Virtual Screen Manager GNU screen. Attackers could gain control of other users’ screens or potentially gain elevated privileges on the affected machine. For more, go to:

Mandrake Linux fixes ethereal flaws

A number of vulnerabilities in the ethereal network-monitoring tool could be exploited to crash the service or potentially run arbitrary code on the affected machine. For more, go to:


Immunix issues rsync patch

A heap overflow vulnerability in the rsync application can be exploited with the recently discovered Linux kernel flaw to compromise Linux servers. Download the fix from:

Precompiled binary packages for Immunix 7.3:

Precompiled binary packages for Immunix 7+:


Today’s roundup of virus alerts:

W32/Agobot-BD – A Trojan horse that spreads via shared network resources with weak passwords. The virus attempts to connect to an IRC channel to listen for commands from an attacker. It also disables certain security-related applications. (Sophos)

Troj/Zana-A – This virus is a browser application that displays porn on the infected machine. It may also attempt to download a dialer application from a remote site. (Sophos)

W32/Scold-A – An e-mail virus that comes with a subject line of “When It’s Cold Outside She Gives Me Warm Inside” and a similarly named attachment with a .scr extension purported to be a photo. The virus spreads to everyone listed in the infected machine’s Outlook address book. (Sophos)

Troj/Dloader-F – A Trojan horse that attempts to download code from a remote Web site, which wasn’t available at the time of this writing. (Sophos)


From the interesting reading department:

No Christmas patches from Microsoft

Microsoft has an early holiday gift for systems administrators: no monthly security patch release in December. IDG News Service, 12/09/03.

IEEE: Chinese security standard could fracture Wi-Fi

The implementation of a Chinese security standard for wireless networking could undermine efforts to develop a global standard for wireless LANs and drive up the cost of networking equipment for end users, warned a senior executive at the IEEE in a recent letter to Chinese government officials. IDG News Service, 12/09/03.

Agony for anti-virus vendor Sophos

UK anti-virus firm Sophos has signed a deal with The Sun’s agony aunt column ‘Dear Deidre’ to protect its virtual mailbag from viruses., 12/08/03.

New patch management mailing list

The mailing list is the industry’s first discussion list dedicated to discussing security patch management topics. This list discusses the how-to’s and why’s of security patch management across a broad spectrum of Operating Systems, Applications, and Network Devices. This list is meant as an aid to network and systems administrators and security professionals who are responsible for maintaining the security posture of their hosts and applications.