• United States

Bug Alert: CERT warns of SIP flaws

Feb 24, 20035 mins

* Patches from Red Hat, Mandrake Linux, others * Beware a Trojan horse of a different color, which opens and closes CD-ROM trays * WLAN security spec probably due next year, and other interesting reading

Today’s bug patches and security alerts:

CERT: Vulnerabilities in SIP

According to an alert from CERT, multiple “vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior.” Multiple vendor implementations are affected by this problem. for more, go to:

CERT advisory:



Red Hat patches VNC flaws

Red Hat has patched two flaws in the VNC software used for controlling a machine remotely. The flaws revolve around VNC authentication method, which has proven to be weak. For more, go to:

Updated shadow-utils available for Red Hat

A flaw in the way ownership privileges are set to the shadow-utils function could allow users on an affected machine to read/write each others mail. For more, go to:


Mandrake Linux patches PHP

As we’ve reported, a serious security vulnerability PHP’s CGI SAPI. A remote attacker could exploit the flaw to trick the PHP engine to run arbitrary code on the affected machine. Not other SAPI module is flawed. For more, go to:

Fix available for krb5 FTP vulnerability

A flaw in the FTP client for Kerberos 5 could allow a malicious user to write files outside the intended directory as well as potentially execute arbitrary code. For more, go to:


More OpenSSL patches available

A flaw in the openssl package for OpenPKG could allow TSL/SSL communications to be passed in plain text. For more on the patch, go to:




Mandrake Linux:


Debian patches slocate

According to an alert from Debian, “A buffer overflow in the setuid program slocate can be used to execute arbitrary code as superuser.” For more, go to:


Updated MySQL packages available from EnGarde

A flaw in the MySQL package for Linux could be exploited by a valid user to crash the affected system. This denial-of-service flaw has been patched by EnGarde. For more, go to:


Gentoo patches bitchx

A denial-of-service vulnerability has been found in the IRC client bitchx. Patch and more information available from:


Conectiva release kde update

A new update for kde is available for Conectiva users. This version contains a number of bug fixes and enhancements, as well as a couple of fixes for more severe vulnerabilities. The more severe problems could be exploited to run a denial-of-service attack against the affected machine. For more, go to:


Today’s roundup of virus alerts:

W32/Lovgate-A – A Trojan horse that spreads via network shares and can allow a malicious user access to infected system. (Sophos, Panda Software)

W32/Tang – This virus spreads via all the usual suspects: e-mail, file-sharing applications and network shares. It overwrites a number of popular file type and infects Excel workbook files. (Panda Software)

Kingpdt – Another virus that spreads via e-mail and file-sharing applications. This one too overwrites a number of popular file types. (Panda Software)

Nzlog – A Trojan horse program that sits in the infected computer’s memory and logs keystroke information to a file called “NZLOG.TXT”. (Panda Software)

Aileen – An interesting Trojan horse that opens and closes the CD-ROM tray. (Panda Software)


From the interesting reading department:

Swiss crack E-Mail code, but minimal impact seen

Researchers at a Swiss university have cracked the technology used to keep people from eavesdropping on e-mail sent over the Web, but U.S. experts Thursday said that the impact would likely be minimal., 02/21/03.

WLAN security spec probably due next year

The IEEE 802.11i standard will plug all known security holes in IEEE 802.11 wireless LANs, also known as Wi-Fi, but probably won’t see final approval or shipping products until about a year from now, according to an Intel network architect involved in the drafting of the standard who spoke here Thursday at the Intel Developer Forum. IDG News Service, 02/21/03.

Government publishes HIPAA security standards

More than four years after it first proposed health information security standards, the Department of Health and Human Services published a trimmed-down final version of the standards on Thursday. IDG News Service, 02/20/03.


Archives online:

Reality TV may be all the rage, but we’re grounded in reality here at Fusion. Check out our online archives at: