similar to: Asterisk Project Security Adivsory Process

Recent events, including vulnerabilities that were reported and the subsequent discussions about how they were handled, have made those of us that manage Asterisk development decide that it is time for the Asterisk project to have a formal security vulnerability and advisory reporting process. Over the next few weeks we will begin to formalize and document this process on the asterisk.org

FYI >Mailing-List: contact vulnwatch-help@vulnwatch.org; run by ezmlm >List-Post: <mailto:vulnwatch@vulnwatch.org> >List-Help: <mailto:vulnwatch-help@vulnwatch.org> >List-Unsubscribe: <mailto:vulnwatch-unsubscribe@vulnwatch.org> >List-Subscribe: <mailto:vulnwatch-subscribe@vulnwatch.org> >Delivered-To: mailing list vulnwatch@vulnwatch.org

More patch-o-rama :-( ---Mike >From: Michal Zalewski <lcamtuf@dione.ids.pl> >To: bugtraq@securityfocus.com, <vulnwatch@securityfocus.com>, > <full-disclosure@netsys.com> >X-Nmymbofr: Nir Orb Buk >Subject: [Full-Disclosure] Sendmail 8.12.9 prescan bug (a new one) >[CAN-2003-0694] >Sender: full-disclosure-admin@lists.netsys.com >X-BeenThere:

--------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: Zope update Advisory ID: RHSA-2000:052-04 Issue date: 2000-08-11 Updated on: 2000-08-18 Product: Red Hat Powertools Keywords: Zope Cross references: N/A

Hi, This advisory has a bit more than the Red Hat one.... Roger. ----- Forwarded message from Alfred Huger ----- >>From owner-bugtraq@SECURITYFOCUS.COM Mon Nov 22 18:49:41 1999 Approved-By: aleph1@SECURITYFOCUS.COM Message-ID: <Pine.GSO.4.10.9911220906250.11753-100000@www.securityfocus.com> Date: Mon, 22 Nov 1999 09:08:08 -0800 X-Reply-To: Alfred Huger

For all of us who don't regularly read the BUGTRAQ list and, like me :-( , tend to forget: [mod: Like me :-( -- REW] It has been pointed out, on a mail to BUGTRAQ, that the ADMw0rm is pretty old stuff, already reported by CERT: http://www.cert.org/advisories/CA-98.05.bind_problems.html Searchable BUGTRAQ archives are available (also?) at

------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <14008.870179829.1@erehwon.bmc.com> See attached. Red Hat Linux package mh-6.8.3-13.i386.rpm installs the inc and msgchk programs as follows: -rwsr-sr-x- root mail 72628 Oct 17 16:57 /usr/bin/mh/inc -rwsr-xr-x- root root 52536 Oct 17 16:57 /usr/bin/mh/msgchk Hal -------

This was in bugtraq, and hasn't shown up in portaudit yet so I thought I would send it and the fix to you. I submitted a pr for a patch as well. (but for some reason, ir bounced) Problem #1: Clamav 87 has been found to have a security vulnerability that could lead to remote code execution Problem #2 patch patch-clamav-milter_clamav-milter.c won't

Asteroid is a SIP denial of service attack tools which affected older versions of Asterisk the Open Source PBX and may affect other products running the SIP protocol. There are thousands of custom (mis)crafted SIP packets which were sent to a older versions of Asterisk that caused errors stopping Asterisk. The packets were crafted based on packetdumps from Wireshark with flags set for

The following is pasted from SecurityFocus Newsletter #254: ------------------------- Asterisk PBX Multiple Logging Format String Vulnerabilities BugTraq ID: 10569 Remote: Yes Date Published: Jun 18 2004 Relevant URL: http://www.securityfocus.com/bid/10569 Summary: It is reported that Asterisk is susceptible to format string vulnerabilities in its logging functions. An attacker may use these

For those who are unaware... [mod: This whole bind affair has gone a bit out of hand. Elias from Bugtraq found "public" info indicating the problem. ISC/CERT were working on releasing the bugfix together with the fix. Now everybody is scurrying to get fixes out now that "the public" knows about this. As far as I know, Red Hat (& Caldera) made a new RPM, based on the most

I got a packet capture of one of the SSH2 sessions trying to log in as a couple of illegal usernames. The contents of one packet suggests an attempt to buffer overflow the SSH server; ethereal's SSH decoding says "overly large value". It didn't seem to work against my system (I see no strange processes running; all files changed in past ten days look normal). I am

Hello there. I tried make update using the following stable-supfile: *default base=/usr *default prefix=/usr *default release=cvs tag=RELENG_4 *default delete use-rel-suffix and my two nearest Russian CVS mirrors showed no changes in realpath. Heck, I downloaded the patch and said in /usr/src: # patch < realpath.patch so it was rejected. Then I looked into realpath.c's revision and

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey all, did you happen to see this recent post to bugtraq? If so, I apologize. I haven't been keeping up with the archives since everything has been running so smoothly. ;) - --Stauf - -------- Original Message -------- Subject: IceCast up to v2.20 multiple vulnerabilities Date: 18 Mar 2005 22:31:14 -0000 From: Patrick

Hello.. I've noticed a delay between when the security advisories are sent and when the cvsup servers, ftp mirrors and web mirrors are updated. Is this delay on purpose to give the users some time to update/patch their system(s) before it hit pages like bugtraq, etc.. or is it just a caused by the delay between when the ftp/cvsup servers are synced? Best regard, Jesper Wallin

There was a recent post to BugTraq (April 2nd) detailing a multi-platform vulnerability. An archived copy of this posting can be found at http://www.securityfocus.com/archive/1/317425. This vulnerability is a timing based attack on system calls that can be used to reveal whether or not a file exists without regard to permissions. The attack works based off the fact that using the open() system

Hi, I have only recently become aware of Dovecot and gave it a try. The previous 0.99.9.1 version didn't work well for me (OpenSSL), I dropped it, but 0.99.10 has come just in time (saw it on freshmeat) and I thought I'd give it another try if it promised SSL fixes, and it's sorta working for me (i. e. it works with mutt, Mozilla, sylpheed, but not cone -- but cone is beta and has SSL

https://bugzilla.samba.org/show_bug.cgi?id=5695 Summary: rsync local timeout Product: rsync Version: 3.0.3 Platform: x86 OS/Version: Linux Status: NEW Severity: normal Priority: P3 Component: core AssignedTo: wayned@samba.org ReportedBy: gabriele.tozzi@gmail.com QAContact:

Hello, I see in BugTraq that there's yet another problem with Wu-ftpd, but I see no mention of it in the freebsd-security mailing list archives...I have searched the indexes from all of June and July. Wu is pretty widely used, so I'm surprised that nobody seems to have mentioned this problem in this forum. The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no

Hi There, re. the recently reported buffer overflow in icecast, is there any "official" security patch against 1.3.11 ? I am reluctant to take any un-official patch like this one ;-) There is nothing on www.icecast.org/releases, maybe it's somewhere else ? Thanks. Alfredo <p><p>>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: