Pam_ldap does not return an error condition when an LDAP directory server responds with a PasswordPolicyResponse control response, which causes the pam_authenticate function to return a success code even if authentication has failed, as originally reported for xscreensaver.
This might lead to an attacker being able to login into a suspended system account.
The OpenSSL library was not properly initialized in the jabber SSL support code, which prevented SSL support for incoming client connections on the jabber server. This update corrects this issue.
A heap-based buffer overflow was discovered in librpm when the LANG or LC_ALL environment variable is set to ru_RU.UTF-8 (and possibly other locales), which could allow for ser-assisted attackers to execute arbitrary code via crafted RPM packages.
The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 and 1.0.3 opens a file for reading twice using the same file descriptor, which causes a file descriptor leak that allows local users to read files specified by the XCOMPOSEFILE environment variable via the duplicate file descriptor.
Vulnerabilities in the HTTP, LDAP, XOT, WBXML, and MIME Multipart dissectors were discovered in versions of wireshark less than 0.99.4, as well as various other bugs. This updated provides wireshark 0.99.4 which is not vulnerable to these issues.
To browse through our weekly Linux Advisory Watch newsletters,