• United States

Bugzilla bugs fixed

Nov 06, 20034 mins

* Patches from BEA, Oracle, others * Beware latest variant of the Yaha family * Microsoft puts a bounty on virus writers, and other interesting reading

Today’s bug patches and security alerts:

Bugzilla bugs fixed

The Bugzilla bug tracking system has some bugs of its own. Two flaws could lead to SQL code be injected into the affected machine. A third flaw mishandles group privileges and a fourth error could lead to an information leak. A fix is available. For more, go to:

Bugzilla advisory:



BEA patches BEA Tuxedo and WebLogic Enterprise

Three security flaws have been found in many versions of BEA Tuxedo and WebLogic Enterprise. These could be exploited in a denial-of-service attack or lead to remote file disclosure or cross-scripting attacks. For more, go to:


Oracle patches databases

NGSSoftware is reporting a vulnerability in Oracle Application Server 9i and its related database platform. The flaw in the remote procedure call handling could be exploit to access data in the affected system via the Internet. For more, go to:


Apple releases fix for terminal

According to an alert from Apple, “a potential vulnerability with the Terminal application in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system.” For more, go to:


More apache patches available

A number of vendors have released a new update to the popular apache Web server code. This release fixes a number of previous vulnerabilities including a pair of buffer overflows. For more, go to:

Mandrake Linux:





Red Hat issues fix for fileutils

A buffer overflow vulnerability has been found in Red Hat’s “ls” directory listing command found the fileutils package. The flaw could be exploited in a denial-of-service attack. For more, go to:


Mandrake Linux patches postgresql

Two bugs found in the postgresql database code could be exploited to trigger a buffer overflow, which could be used to run malicious code on the affected server. For more, go to:


EnGarde releases updated OpenSSL patch

An OpenSSL patch released in late September ended up introducing another potential vulnerability that could be exploited in a denial-of-service attack against the affected machine. For more, go to:


Today’s roundup of virus alerts:

W32/Yaha-X – Another variant of the Yaha family. This one spreads via a built-in SMTP engine using any email addresses if finds on the infected system. It attempts to exploit an older iFrame vulnerability in Internet Explorer and Outlook. A plug-in may allow the virus to log keystrokes as well. (Sophos)


From the interesting reading department:

Microsoft puts a bounty on virus writers

Stepping up its battle against computer viruses and worms, Microsoft has established a $5 million fund to pay rewards for information that leads to the arrest and conviction of those responsible for releasing malicious code, the company said. IDG News Service, 11/05/03.

Employers want security certifications

Some security professionals have begun to question the value of their most highly-valued certifications, as more and more people pass those tests, said Stephenson, a consultant at Eastern Michigan University’s Center for Regional and National Security, during a presentation at the Computer Security Institute’s (CSI) Computer Security Conference and Exhibition in Washington, D.C. IDG News Service, 11/05/03.

Cybersecurity a balancing act, former FBI head says

On one hand, U.S. businesses need to protect their trade secrets because national security is tied closely to economic security, but on the other hand encryption might be helping criminals hide their secrets, Louis Freeh, former director of the FBI, told a gathering of cybersecurity experts Monday. IDG News Service, 11/04/03.

Panther erases some external drives

Apple has acknowledged that there are issues with Mac OS X 10.3 Panther by posting a special message for FireWire disk drive users. A number of Panther users reported a problem with the new OS erasing data on external FireWire drives., 11/03/03.