Vendors patch postfix flaws

Today’s bug patches and security alerts:

Vendors patch postfix flaws

New versions of postfix, a mail transfer agent, are available that fix two vulnerabilities in older versions of the software. One flaw could be exploited in a denial-of-service (DoS) attack against the affected machine. Another flaw could be exploited to use postfix as a distributed DoS tool for launching attacks against random IP addresses. For more, go to:

Red Hat:

https://rhn.redhat.com/errata/RHSA-2003-251.html

Debian:

https://www.debian.org/security/2003/dsa-363

SuSE:

https://www.suse.com/de/security/2003_033_postfix.html

Conectiva:

https://www.nwfusion.com/go2/0804bug2a.html

EnGarde:

https://www.nwfusion.com/go2/0804bug2b.html

**********

@Stake warns of flaws in McAfee’s Security ePolicy Orchestrator

Three flaws have been found in McAfee’s Security ePolicy Orchestrator that could be exploited to run code anonymously on the affected machine. For more, go to:

https://www.atstake.com/research/advisories/2003/a073103-1.txt

McAfee advisory page:

https://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp

**********

DoS vulnerability in NetScreen ScreenOS

A flaw in the operating system used in NetScreen’s firewall/VPN servers could be exploited to cause the machine to reboot, resulting in a temporary service outing. For more, go to:

https://www.nwfusion.com/go2/0804bug2c.html

**********

New kernel packages from Debian

Debian has released new kernel packages that fix a number of flaws found in previous releases. Some of these flaws could be exploited to read sensitive information on the affected machine or cause a DoS. For more, go to:

https://www.debian.org/security/2003/dsa-358

Debian patches xfstt

A patch is available from Debian for xfstt, a TrueType font server for X Windows. Two flaws exist that could allow an attacker to view certain system information, cause a DoS attack or potentially run arbitrary code on the affected machine. For more, go to:

https://www.debian.org/security/2003/dsa-360

Debian releases fix for mindi

According to an alert from Debian, “mindi, a program for creating boot/root disks, does not take appropriate security precautions when creating temporary files.  This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running mindi.” For more, go to:

https://www.debian.org/security/2003/dsa-362

Debian issues patch for Atari emulator

The atari800 emulator for Debian contains a buffer overflow vulnerability that could be exploited to gain root privileges on the affected machine. For more, go to:

https://www.debian.org/security/2003/dsa-359

Debian issues kdelibs fix

As we reported earlier this week, KDE is warning of a vulnerability in Konqueror, in which authentication credentials may be sent to unintended third parties in clear text. An unauthorized user may be able to gain access to a password-protected site by exploiting this flaw. A new kdelibs package from Debian fixes these issues. For more, go to:

https://www.debian.org/security/2003/dsa-361

eRoaster patch fixed

A flaw in the way eRoaster, a CD burning application, uses temporary files could be exploited by a malicious user to run arbitrary code with the privileges of the eRoaster user. For more, go to:

https://www.debian.org/security/2003/dsa-366

Debian releases patch for phpgroupware

A cross-scripting vulnerability has been found in phpgroupware. An attacker could exploit this to gain sensitive information or change browser behavior via a specially crafted URL. For more, go to:

https://www.debian.org/security/2003/dsa-365

**********

NetBSD patches realpath

A flaw in NetBSD’s realpath function could be exploited by sending a path name that is 1,024 characters long through the function. Any application that calls the function could be susceptible to a DoS attack, or an attacker could run arbitrary code. For more, go to:

https://www.nwfusion.com/go2/0804bug2d.html

**********

Buffer overflow in Half-Life

A buffer overflow vulnerability has been found in Versions 1.1.1.0 and earlier of the popular online game Half-Life. The flaw could be exploited in a DoS attack against a Half-Life client or to potentially run arbitrary code on the affected machine. For more, go to:

https://www.security-corporation.com/articles-20030730-000.html

**********

Today’s roundup of virus alerts:

Troj/Autoroot-A — This virus attempts to exploit a flaw in Microsoft’s DCOM RPC library. If successful, the virus drops a backdoor Trojan horse that allows a malicious user access to the infected machine. (Sophos)

W32/Lovgate-L — Another variant of the Lovegate Trojan Horse that spreads via e-mail and file-sharing networks. (Sophos)

**********

From the interesting reading department:

Microsoft investigates DoS attack on Microsoft.com

Microsoft’s main Web site was unreachable for almost two hours on Friday as the Web server it is hosted on failed following a DoS attack, the company said Friday. IDG News Service, 08/04/03.

https://www.nwfusion.com/news/2003/0804microinves.html

Face-off: IPSec VPNs are the best choice

IP Security VPNs remain the best choice for connecting multiple private networks over the Internet. IPSec operates at the network layer, securing all data between endpoints, regardless of application. Network World, 08/04/03.

https://www.nwfusion.com/columnists/2003/0804feng.html

Face-off: SSL-based VPNs are superior

Secure Sockets Layer VPNs are the superior option for secure “anywhere” remote access. Network World, 08/04/03.

https://www.nwfusion.com/columnists/2003/0804hopen.html

Dr. Internet: Blocking unauthorized wireless users

“Our network has several wireless access points, and our system logs show that unauthorized users have been ‘borrowing’ our Internet connection. What steps can we take to make the access points more secure?” Network World, 08/04/03.

https://www.nwfusion.com/columnists/2003/0804internet.html