Even More Security Problems
BEA announced a vulnerability in its WebLogic Server and Express versions 6.0, 6.1 and 7.0, all platforms. The problem, basically a bug in the implementation of an internal protocol used for copying files between servers and supporting developers, could allow unprivileged users to access and modify application source code, system settings, even system files. WebLogic users should apply the patches immediately. The Samba team released patches for a series of bugs that could allow a remote user anonymously to gain su (root) privileges on the server running Samba. This is pretty much a worst-case scenario; Samba administrators, quit those video games and upgrade your servers ASAP. All versions of Samba from 2.0.x through 2.2.7 are affected. Administrators should either upgrade to 2.2.8 or follow instructions in the advisory referenced above in order to limit exposure.On a more academic and theoretical note, a professor and a security officer at Stanford University released a paper on the possibility of using timing attacks against OpenSSL, a very popular open source implementation of the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. In response, the OpenSSL team released an advisory and a patch that should address the problem. Almost all SSL_enabled versions of Apache are affected, so the number of potentially vulnerable systems is large. Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.
The Linux Kernel team released Version 2.2.25 and a patch for Version 2.4.2x in order to patch a local root exploit in those versions. The kernel team does not believe that the 2.5 series of kernel versions are vulnerable. The announcement from Senior Kernel Boss Alan Cox to the linux-kernel mailing list states that a local user could obtain full privileges, but that a remote exploit was not possible.