* Patches from Oracle, Debian, Mandrak Linux, others * Good news: no new viruses to report today * System break-in nets info on 5.6 million credit cards, and other interesting reading Today’s bug patches and security alerts:Oracle fixes database, application server flawsOracle is patching four security flaws in its database software and two in its application server, the most serious of which could allow an attacker to take complete control of a system running the software, experts warned. IDG News Service, 02/18/03.Story: https://www.nwfusion.com/news/2003/0218oraclfixes.htmlCERT advisory: https://www.cert.org/advisories/CA-2003-04.htmlOracle advisories:Buffer Overflow in DIRECTORY parameter of Oracle9i Database Serverhttps://otn.oracle.com/deploy/security/pdf/2003alert48.pdfBuffer Overflow in TZ_OFFSET function of Oracle9i Database Serverhttps://otn.oracle.com/deploy/security/pdf/2003alert49.pdf Buffer Overflow in TO_TIMESTAMP_TZ function of Oracle9i Database Serverhttps://otn.oracle.com/deploy/security/pdf/2003alert50.pdfBuffer Overflow in ORACLE.EXE binary of Oracle9i Database Serverhttps://otn.oracle.com/deploy/security/pdf/2003alert51.pdf Two Vulnerabilities in Oracle9i Application Serverhttps://otn.oracle.com/deploy/security/pdf/2003alert52.pdf**********More PHP fixes availableAs we reported in our last issue, a serious security vulnerability PHP’s CGI SAPI. A remote attacker could exploit the flaw to trick the PHP engine to run arbitrary code on the affected machine. Not other SAPI module is flawed. For more, go to:SuSE:https://www.suse.com/de/security/2003_009_mod_php4.htmlGentoo:https://forums.gentoo.org/viewtopic.php?t=36530EnGarde:https://www.linuxsecurity.com/advisories/engarde_advisory-2870.htmlOpenPKG:https://www.openpkg.org/security/OpenPKG-SA-2003.010-php.html**********Debian releases updated CUPS patchA previous patch for Debian’s CUPS implementation resulted in an incorrect library dependency. Debian’s got a new patch that fixes the problem. For more, go to:https://www.debian.org/security/**********More w3m packagesTwo cross-scripting flaws have been found in the w3m packages for many Linux flavors. The problems have been fixed in the latest release of the w3m packages. For more, go to:Gentoo:https://forums.gentoo.org/viewtopic.php?t=36308OpenPKG:https://www.openpkg.org/security/OpenPKG-SA-2003.009-w3m.html**********Gentoo patches syslinuxA flaw in previous versions of the syslinux’s installer required root privileges. This is not necessary. A new version fixes this issue. For more, go to:https://forums.gentoo.org/viewtopic.php?t=36307Gentoo releases mailman fixA cross scripting flaw has been found in Version 2.1 of mailman for Gentoo. Version 2.1.1 fixes the flaw. For more, go to:https://forums.gentoo.org/viewtopic.php?t=36306Gentoo patches nethack gameA buffer overflow in the nethack game package for Gentoo could be exploited to gain elevated privileges. A patch is available. For more, go to:https://forums.gentoo.org/viewtopic.php?t=36310**********OpenPKG releases Lynx patchA CRLF injection vulnerability exists in the text-only Lynx browser that could allow the browser to be redirected to a malicious Web site. For more, go to:https://www.openpkg.org/security/OpenPKG-SA-2003.011-lynx.htmlOpenPKG updates dhcpd packagesA flaw in dhcpd was not completely patched during a previous round of updates. A new advisory is available with workarounds and a new update. For more, go to:https://www.openpkg.org/security/OpenPKG-SA-2003.012-dhcpd.htmlOpenPKG patches opensslA flaw in the openssl package for OpenPKG could allow TSL/SSL communications to be passed in plain text. For more on the patch, go to:https://www.openpkg.org/security/OpenPKG-SA-2003.013-openssl.html**********Mandrake Linux patches apcupsdA remote root vulnerability has been found in the apcupsd code. A fix is available that also includes some other enhancements. Mandrake Linux users can get more information from:https://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:018Mandrake Linux releases fix for pam_xauthA flaw in the pam_xauth authorization module could allow a unprivileged user to gain root privileges on the affected machine. There’s a very small window in which this exploit could be used, but nonetheless, there is a flaw. For more, go to:https://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:017**********SuSE patches impA flaw in the popular imp Web-based mail system can be exploited to access the underlying database without authentication. Another flaw could be exploited to run arbitrary shell commands. For more, go to:https://www.suse.com/de/security/2003_008_imp.html**********Today’s roundup of virus alerts:A rarity: No new viruses to report today.**********From the interesting reading department:System break-in nets info on 5.6 million credit cardsA computer hacker, or hackers, has gained access to the credit card numbers of as many as 5 million credit card customers. Information was stolen from more than 2.2 million MasterCard International accounts and approximately 3.4 million Visa USA cardholder accounts, according to those companies. IDG News Service, 02/18/03.https://www.nwfusion.com/news/2003/0218sysbreak.htmlNew security device locks down ‘Net connected appsTeros, formerly Stratum8 Networks, Tuesday announced Version 2.0 of its Teros-100 Application Protection System, a security appliance designed to protect applications connected to the Internet against cyberattacks. IDG News Service, 02/19/03.https://www.nwfusion.com/news/2003/0219teros.htmlIntel, Check Point team on mobile securityA new multiyear agreement between Check Point and Intel will couple Check Point’s remote access software with Intel’s new Centrino mobile computing technology. IDG News Service, 02/19/03.https://www.nwfusion.com/news/2003/0219intelcheck.htmlTruSecure acquires VigilinxThe managed security services field narrowed on Tuesday, as TruSecure announced that it had acquired Vigilinx for an undisclosed sum. IDG News Service, 02/18/03.https://www.nwfusion.com/news/2003/0218truseacqui.html**********Archives:We’re keen on keeping you up to date and one way we do that is via our always updating archive:https://www.nwfusion.com/newsletters/bug/ Related content news Fortinet brings AI help to enterprise security teams manage threats Fortinet Advisor aims to help customers respond to threats more quickly By Michael Cooney Dec 11, 2023 3 mins Network Security Security how-to Getting started with scripting on Linux, Part 1 Once a script is prepared and tested, you can get a significant task completed simply by typing the script's name followed by any required arguments. By Sandra Henry-Stocker Dec 11, 2023 5 mins Linux feature Starkey swaps out MPLS for managed SD-WAN Hearing aid manufacturer achieves performance boost, increased reliability and cost savings after a shift from MPLS to managed SD-WAN services from Aryaka. By Neal Weinberg Dec 11, 2023 6 mins SASE SD-WAN Network Security news Nvidia races to fulfill AI demand with its first Vietnam semiconductor hub Vietnam has been a growing tech manufacturing destination for the past few years, and Nvidia said it is open to a new manufacturing partner in Vietnam. By Sam Reynolds Dec 11, 2023 3 mins CPUs and Processors Technology Industry Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe