• United States

PostNuke flaw patched

Apr 26, 20045 mins

* Patches from Mandrake Linux, Slackware, Gentoo, others * Beware e-mails with subject line claiming the capture of Osama Bin Laden * Security flaws occupy router vendors, ISPs, and other interesting reading

Today’s bug patches and security alerts:

PostNuke patch available

A SQL injection flaw has been found in the PostNuke content management system. Users are urged to upgrade to Version 7.2.6-2. For more, go to:


SGI security update #18 available

The lastest SGI security update, which includes fixes for SGI ProPack v2.3 and SGI ProPack v2.4 for the SGI Altix family of systems, is now available. This release fixes issues in cadaver, mailman, squid and cvs. For more, go to:


@Stake warns of Netegrity SiteMinder flaw

A flaw in the way “affiliate” cookies are used in the Netegrity SiteMinder portal could be exploited to cause a heap overflow. For more, go to:


Mandrake Linux, Slackware patch xine

A temporary file vulnerability has been found in xine, which could be exploited by a local user to overwrite arbitrary files. For more, go to:

Mandrake Linux:



Mandrake Linux patches libneon

A number of format string vulnerabilities have been found in Neon, an HTTP and WebDav client library. For more, go to:

Mandrake Linux MySQL patch available

Temporary files created by two MySQL scripts are not properly deleted, allowing an attacker to exploit them in a symbolic link attack against the affected machine. This attack could be used to overwrite arbitrary files on the system. For more, go to:

Mandrake Linux issues fix for samba

A flaw in Samba could allow a local user to mount a file share from a remote server using the smbmnt utility. The local user could then gain root privileges on the affected machine. For more, go to:


Gentoo patches cadaver

Like the libneon patch above, Gentoo’s cadaver is a HTTP and WebDav client library with a number of format string vulnerabilities. A fix is available. For more, go to:

Gentoo releases monit patch

Two vulnerabilities in the monit HTTP interface could be exploited in a denial-of-service attack or to run arbitrary code on the affected machine. For more, go to:

Gentoo updates XChat

A stack overflow in previous version of XChat could be exploited by a remote user to run arbitrary code on the affected machine. An update is available to fix the flaw. For more, go to:

Gentoo patches ipsec-tools

A flaw in one of the ipsec-tools utilities results in ISAKMP headers being improperly checked. An attacker could exploit this in a denial-of-service attack against the affected system. For more, go to:


Flaw in Yahoo mail patched

A flaw in the free Yahoo Mail service could allow an attacker to take over a random account by send a specially crafted e-mail, according to an alert from eEye. Yahoo claims the flaw has been fixed. For more, go to:


iDefense warns of flaw in RealNetworks Helix Universal Server

A flaw in the way RealNetworks Helix Universal media server handles GET requests could be exploited by a remote user in a denial-of-service attack against the affected machine. RealNetworks says Version 9.03 of the server fixes the problem. For more, go to:


Today’s roundup of virus alerts:

Troj/Legmir-K – A password-stealing Trojan horse that e-mails its bounty to a remote user. The virus also terminates certain anti-virus applications. (Sophos)

Troj/StartPa-AE – A Trojan horse that changes various Internet Explorer settings every time Windows is started. (Sophos)

“Osama Captured” – An e-mail was floating around last week with a subject line claiming Osama Bin Laden had been captured. The link in the e-mail directs users to an advertising page that also tried to push Trojan horse code down to the visiting machine. (Panda Software)


From the interesting reading department:

Security flaws occupy router vendors, ISPs

Router vendors and their ISP customers last week scurried to patch two security holes that could enable denial-of-service attacks and knock out Internet service to enterprise users. Network World, 04/26/04.

User group defines security needs

An influential, industry user group is tackling a problem that has stumped many network executives: how to create an enterprise security architecture. Network World, 04/26/04.

Buffalo eases WLAN security setups

AOSS technology negotiates highest supported security settings among WLAN devices automatically. Network World, 04/26/04.

Group makes hardware security Job 1

The Trusted Computing Group is a collection of 55 vendors including HP, Intel and Microsoft that formed a year ago to develop specifications for chip-based security. Nancy Sumrall, marketing chair for the group and manager of the safer computing initiative within Intel’s desktop platforms group, recently gave Network World Senior Editor Ellen Messmer an update on the TCG. Network World, 04/26/04.

Start-ups unveil security appliances

Start-ups Crossbeam Systems and Imperva this week each will introduce security appliances aimed at protecting corporate resources from an assortment of threats. Network World, 04/26/04.

IBM preps desktop security service

IBM Global Services last week rolled out a comprehensive desktop management service with a focus on security for small to midsize businesses that need help managing their desktop PCs and printers. Network World, 04/26/04.

Network Associates sells Sniffer line, changes name to McAfee

Network Associates Thursday announced plans to sell its Sniffer network management technology in a $275 million cash deal and rename the company McAfee, in line with its plans to focus on security. Network World Fusion, 04/22/04.