phpMyAdmin updates close security vulnerability

The phpMyAdmin developers have announced the release of version 3.3.9.1 and 2.11.11.2 of their database administration tool, security updates that fix a path disclosure vulnerability. According to the developers, when the README, ChangeLog or LICENSE files are removed from their original location, the scripts used to display these files can show their full path, possibly […]

Phrack hole closed in ProFTPD

The development team behind ProFTPD has released version 1.3.3d, which closes a critical security hole in the SQL module of all previous versions. The flaw was reported roughly a month ago in Phrack, the hacker magazine. A buffer overflow in the function sql_prepare_where() allows attackers to remotely execute arbitrary code on the server. The developers […]

Possible root vulnerability in Exim internet mailer

According to a posting on the Exim developer mailing list, the Debian package (and potentially others) contains a vulnerability which can be remotely exploited by attackers to gain control of a server. Initial investigations by Sergey Kononenko, administrator of a network penetrated by unknown attackers, apparently via this vulnerability, suggest that the problem may be […]

Back door in ProFTPD FTP server

Unknown attackers penetrated the server hosting the open source ProFTPD FTP server project and concealed a back door in the source code. The back door provides the attackers with complete access to systems on which the modified version of the server has been installed. On installation, the modified version informs the group behind the back […]

Red Hat warns of hole in OpenSSL

In an advisory, Linux distributor Red Hat has warned that a security vulnerability in OpenSSL can potentially be remotely exploited to break into a server. Affected versions include OpenSSL 0.9.8f to 0.9.8o, 1.0.0 and 1.0.0a. Updating to OpenSSL 0.9.8p or 1.0.0b closes the hole. The problem is caused by a race condition in the OpenSSL […]

Security update for ProFTPD FTP server

A flaw in the popular ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences. ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the […]

With Open Source Bug Bounties, 12-Year Olds Can Win Too

We’ve written before about bug bounties–cash prizes offered by open source communities to anyone who finds key software bugs–ranging from FOSS Factory’s bounty programs to the bounties that both Google (for the Chrome browser) and Mozilla offer. As we’ve noted, commercial companies focused on open source and open source communities at large can benefit from […]

Linux Root Access Vulnerabilities

US-CERT is aware of public reports of multiple vulnerabilities affecting Linux. Exploitation of these vulnerabilities may allow an attacker to access the system with root or “superuser” privileges. The first of these vulnerabilities is due to a flaw in the implementation of the Reliable Datagram Sockets (RDS) protocol in Linux kernel versions 2.6.30 through 2.6.36-rc8. […]

Pidgin 2.7.4 closes DoS vulnerability

The Pidgin development team has released version 2.7.4 of its open source instant messenger application. According to the developers, this maintenance and security update addresses a medium-risk vulnerability (CVE-2010-3711) in the libpurple library used by Pidgin and other instant messaging clients, including Adium and Meebo, that could lead due to a remote denial-of-service (DoS) attack. […]

MySQL update addresses DoS vulnerability

Oracle has released version 5.1.51 of MySQL, a security update that addresses a Denial of Service (DoS) vulnerability in the open source database. According to security specialist Secunia, an error in the processing of arguments passed to the LEAST() or GREATEST() functions could be exploited by a malicious user to cause a server crash, leading […]

Critical hole in Reader: Adobe accelerates patch day

Adobe has announced plans to bring the release of a patch to close the critical security hole in the current versions of Reader and Acrobat forward to Tuesday, October 5th. As a result, no further patches will be released on the scheduled patch day which was due on October 12th. The hole has been known […]

Tiki Wiki closes critical security hole in recent releases

A critical security hole and other security issues have been addressed in Tiki Wiki CMS 5.2 and 3.7 LTS with the release of 5.3 and 3.8 LTS versions. The updates are “highly recommended” to remedy the problems found by John Leitch; further details of the issues have not been revealed. Versions 5.2 and 3.7 LTS […]

A Tale of Two Root Exploits, and Why We Shouldn’t Panic

There’s no denying Linux is more secure than perpetually-patching Windows, but the past month or so has not provided an ideal demonstration. In August, we saw the arrival of a long-overdue fix for a kernel bug that was six years old; now, in the last week or so, it’s been not one but two root […]

Update for OpenX ad server closes hole

The OpenX developers have released version 2.8.7 of their free open source ad server, likely closing the security hole discovered earlier this week. The vulnerability was the result of a component integrated in OpenX’s video plug-in from a third-party, which allows images to be uploaded. The “Open Flash Chart 2″ module (ofc_upload_image.php) failed to check […]

Die-hard bug bytes Linux kernel for second time

The Linux kernel has been purged of a bug that gave root access to untrusted users – again. The vulnerability in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before – in 2007 with the release of version 2.6.22.7. But several months […]

Web sites distribute malware via hacked OpenX servers

The vulnerability in the free OpenX ad server made public on Monday is already being actively exploited to distribute malware. According to press reports, a server that provides The Pirate Bay with ad banners was hacked, but browsers that use Google’s Safe Browsing API to reach the site are warned that it has dangerous content. […]

Year-old vulnerability endangers OpenX ad server

A critical security flaw in current and older versions of the popular open source OpenX ad server allows attackers to remotely compromise a server. A few reports (German language link) even discuss successful attacks on OpenX servers in which the vulnerability was exploited. The problem is the result of a component integrated in OpenX’s video […]

Dangerous security flaw patched in Linux

A critical vulnerability in the Linux kernel that gives attackers access to root via X server has been patched by Linus Torvalds. Meanwhile, kernel developer James Morris reports on the first-annual Linux Security Summit (LSS), which covered topics including usability, hardening the kernel, and API standardization. Linux folk have long shown an almost smug, if […]

Android game secretly transmits GPS coordinates

In a post on their Connect blog, security specialist Symantec reports on a new trojan for Android that masquerades as a free Tap Snake game, while secretly transmitting GPS coordinates to a server in the background. These coordinates can then be retrieved and displayed in Google Maps via the GPS Spy Android app sold for […]

New Flash Bug Exploited By Hackers : How to avoid it?

A new attack on a Flash bug has surfaced that would give attackers control of a victim’s computer after crashing it, reports PC World. Adobe put out a Security Advisory about this on June 4. It is categorized as a critical issue and all operating systems with Flash are vulnerable including Windows, Linux, and Apple […]