Package: freetype, freetype-utils, freetype-devel Vulnerability: memory management and buffer overflow Problem type: (local) remote Redhat-specific: unknown CVE Id(s): CVE-2010-2498, CVE-2010-2500, CVE-2010-2499 CVE Id(s): CVE-2010-2519, CVE-2010-2527, CVE-2010-2541 Originally Posted on: Redhat Security Errata
An invalid memory management flaw was found in the way the FreeType font engine processed font files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2498)
An integer overflow flaw was found in the way the FreeType font engine processed font files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2500)
Several buffer overflow flaws were found in the way the FreeType font engine processed font files. If a user loaded a carefully-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2499, CVE-2010-2519)
Several buffer overflow flaws were found in the FreeType demo applications. If a user loaded a carefully-crafted font file with a demo application, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-2527,CVE-2010-2541)
Package: wget Vulnerability: missing input sanitization Problem type: local (remote) Debian-specific: no CVE Id(s): CVE-2010-2252 Debian Bug: 590296 Originally Posted on: Debian Security List
It was discovered that wget, a command line tool for downloading files from the WWW, uses server-provided file names when creating local files. This may lead to code execution in some scenarios. This update to wget will enable a fix to ignore server-provided file names mitigating this issue. You can restore the old behavior in cases where it is not desirable by invoking wget with the new –use-server-file-name option. For the stable distribution (lenny), this problem has been fixed in version 1.11.4-2+lenny2 which can be obtained by doing apt-get update && apt-get upgrade on your system. For system administrators it is very important you update immediately if your system is used by the public or by people outside of company.
Why do people insist on being so ambiguous? As administrators, engineers, developers or IT professionals in general, we fight ambiguity, yet on a mailing list we chose to be ambiguous. Today I had a small lapse in memory, I forgot how to list packages by base architecture. In other words, I wanted to see packages that were either 32bit, 64bit or able to run on either.
One person showed me a simple way to help remove extra left-over 32bit packages after I removed ia32, this was helpful, and I thanked them as I clearly left open that gateway for them to help me with that if they so chose to. However, another person decided to jump in and then decide to explain to me how Debian is not multi-architecture (which I already knew and did not ask) and then explain to me how only removing ia32-libs would solve all my problems (which is plain wrong) and then explain to me dpkg while not even touching on specifically what I wanted. He ambiguously interpreted my statement which led him to think that all this would be useful and on point, even though it wasn’t. It wasn’t hard to read my question. I didn’t need a 10 page explanation on what I already know, I needed to a quick command.
I just wish sometimes people would stand back, read, reread and then answer, that way they don’t send out emails that are long and by theory off topic. While I was probably harsh in my initial approach, I stand by what I said to him about everything being moot and me not needing childish explanations of how dpkg works when I know how to dpkg works, I just forgot how to list packages of a certain type and that’s all I wanted to know. Be direct please, and stay on topic, if I need more explanations, I’ll ask because that’s the point of a thread.
Some Mac users top the idiot level on security and here is why. Recently I started playing with OSX on my Mac. As a systems administrator, I naturally sought to find security solutions for this machine because it’s public facing, I do the same thing on Windows and Linux. You should always have Antivirus of some kind. Lets just say, Virus is interchangeable (for this instance) with Trojan, Rootkit and you’re an idiot. You must have missed the memo on OSX/HellRTS.D, maybe? Just too busy thinking your machine can’t be infected to notice?
Image courtesy of two idiots & Apple forums
Here are the problems with Mac users: 1.) They listen to Apple and misinterpret “Mac OS X doesn’t get PC viruses” from http://www.apple.com/macosx/security/ (these are the same people who deny the iPhone antenna problems ~ and instead of fixing it, point out other phones have the same mistake ~ as if that’s going to make you look like less of an asshole) the statement means Mac can’t be infected by Windows ONLY viruses, it doesn’t mean there are no fucking viruses for your Mac, asshats. 2.) They listen to the idiots in the figure above, who say it’s theoretically impossible (by implication of course.) but security labs beg to differ and 3.) they don’t actively push for antivirus because they think they don’t need it, leaving people who actually know a bit about security up to themselves having to do twice the work when they have suspicious feelings.
Some notes for you Mac fanboys: ClamAVX is for Windows Viruses mostly, it has no true virus definitions for Linux. Sophos is an industry known and trusted security solution that can find Malware for OSX, as a matter of fact, they discovered more OSX based Malware than Apple did themselves and patched for it long before Apple did in their internal malware detection. Norton is the only solution sold by Apple, this means that Apple believes Norton is a decent solution, I thought you fanboys followed Apple around, if Apple sells Norton, do you not trust it?
on by Jordon BedwellImage courtesy of the Terra Satellite
The news has come in that BP has finally capped the flow on the Gulf crude oil leak. After months of it leaking and ruining the Gulf Coast we can finally see some real progress and hopefully they can fully stop it and not continue to let it go on even 1oz. Keep trying and make sure your bullshit CEO doesn’t go on Golfing trips when he should be capping oil leaks in the US.
