Conectiva Local Security Checks : Conectiva Security Advisory CLA-2003:711

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.51447

Kategorie: Conectiva Local Security Checks

Titel: Conectiva Security Advisory CLA-2003:711

Zusammenfassung: NOSUMMARY

Beschreibung: Description:

The remote host is missing updates announced in
advisory CLA-2003:711.

mnoGoSearch[1] is a full-featured web search engine software for
intranet and internet servers.

This update addresses two vulnerabilities in mnoGoSearch which affect
Conectiva Linux 9:

1. Buffer overflow in the ul variable (CVE-2003-0436)
pokleyzz reported[2] a buffer overflow
vulnerability in mnoGoSearch which can be exploited remotely to
execute arbitrary commands with the privileges of the webserver.

2. Buffer overflow in the query variable (q) (CVE-2002-0789)
qitest1 reported a buffer overflow
vulnerability[3] in the query variable (q) which can be exploited
remotely to execute arbitrary commands with the privileges of the
webserver.

The packages available through this update contain the new version
released by the authors that fixes these issues.

Additionally, some other bugfixes and enhancements have been
included:

- the files are now placed in the webserver directory (/srv/www) and
not in /var/www

- the CGI executable search.cgi is now installed in
/srv/www/default/cgi-bin

- access to the search.cgi CGI executable is restricted by default
to localhost (or 127.0.0.1). To change these permissions, please edit
/etc/apache/conf/conf.d/mnogosearch.conf and restart Apache. This was
done to avoid a possible unnecessary exposure of this service in the
case the package was installed but not configured.

- configuration files in the /etc/mnogosearch directory have now
stricter access permissions in order to avoid exposure of their
database access passwords

- two new subpackages have been created: mnogosearch-devel and
mnogosearch-devel-static, used only for development purposes.

Solution:
The apt tool can be used to perform RPM package upgrades
by running 'apt-get update' followed by 'apt-get upgrade'

http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:711
http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003

Risk factor : High

CVSS Score:
7.5

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2003-0436
BugTraq ID: 7865
http://www.securityfocus.com/bid/7865
http://lists.grok.org.uk/pipermail/full-disclosure/2003-June/005543.html
Common Vulnerability Exposure (CVE) ID: CVE-2002-0789
BugTraq ID: 4724
http://www.securityfocus.com/bid/4724
Bugtraq: 20020511 Bug in mnogosearch-3.1.19 (Google Search)
http://archives.neohapsis.com/archives/bugtraq/2002-05/0092.html
http://www.mnogosearch.org/history.html#log31
http://www.iss.net/security_center/static/9060.php

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.51447
Kategorie:	Conectiva Local Security Checks
Titel:	Conectiva Security Advisory CLA-2003:711
Zusammenfassung:	NOSUMMARY
Beschreibung:	Description: The remote host is missing updates announced in advisory CLA-2003:711. mnoGoSearch[1] is a full-featured web search engine software for intranet and internet servers. This update addresses two vulnerabilities in mnoGoSearch which affect Conectiva Linux 9: 1. Buffer overflow in the ul variable (CVE-2003-0436) pokleyzz reported[2] a buffer overflow vulnerability in mnoGoSearch which can be exploited remotely to execute arbitrary commands with the privileges of the webserver. 2. Buffer overflow in the query variable (q) (CVE-2002-0789) qitest1 reported a buffer overflow vulnerability[3] in the query variable (q) which can be exploited remotely to execute arbitrary commands with the privileges of the webserver. The packages available through this update contain the new version released by the authors that fixes these issues. Additionally, some other bugfixes and enhancements have been included: - the files are now placed in the webserver directory (/srv/www) and not in /var/www - the CGI executable search.cgi is now installed in /srv/www/default/cgi-bin - access to the search.cgi CGI executable is restricted by default to localhost (or 127.0.0.1). To change these permissions, please edit /etc/apache/conf/conf.d/mnogosearch.conf and restart Apache. This was done to avoid a possible unnecessary exposure of this service in the case the package was installed but not configured. - configuration files in the /etc/mnogosearch directory have now stricter access permissions in order to avoid exposure of their database access passwords - two new subpackages have been created: mnogosearch-devel and mnogosearch-devel-static, used only for development purposes. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:711 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003 Risk factor : High CVSS Score: 7.5
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2003-0436 BugTraq ID: 7865 http://www.securityfocus.com/bid/7865 http://lists.grok.org.uk/pipermail/full-disclosure/2003-June/005543.html Common Vulnerability Exposure (CVE) ID: CVE-2002-0789 BugTraq ID: 4724 http://www.securityfocus.com/bid/4724 Bugtraq: 20020511 Bug in mnogosearch-3.1.19 (Google Search) http://archives.neohapsis.com/archives/bugtraq/2002-05/0092.html http://www.mnogosearch.org/history.html#log31 http://www.iss.net/security_center/static/9060.php
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com