* BIND
    * LISA
    * Lib HTTPd
    * libpng
    * masqmail
    * KDE telnet and rlogin
    * FreeBSD Resolver Code
    * Windowmaker
    * Tiny HTTPd
    * Kgpg
    * squid
    * Zeroo HTTP Server
    * UnixWare and OpenUnix talkd

BIND

BIND has a collection of vulnerabilities that can be used by a remote attacker to execute arbitrary code and that can be used in a denial of service attack against the name server. All versions of BIND earlier than 9.2.1, 8.3.4, 8.2.7, and 4.9.11 are affected..

ISC recommends that users upgrade to version 9.2.1 or newer of BIND as soon as possible. Users who can not upgrade to 9.2.1 can upgrade to BIND versions 8.3.4, 8.2.7, or 4.9.11.
LISA

KDE's LISA is a LAN browsing utility package. LISA is vulnerable to buffer overflows that can be used by an attacker to execute code with the permissions that LISA is running under (often root). Additionally under some conditions an attacker may be able to access a users account using a bug in LISA.

Users should upgrade to KDE 3.0.5 , apply the appropriate patches, disable LISA, and remove its set user id bits, or remove LISA from the system.

Lib HTTPd

Lib HTTPd, a library implementing web server capabilities, contains a bug that can be exploited to execute arbitrary code on the server with the permissions of the user running the application linked to the library. A script to automate the exploitation of this bug has been released.

Users should watch for an update to Lib HTTPd and should consider disabling applications built with it until they have been recompiled using a repaired library.
libpng

It has been reported that there are several buffer overflows in the libpng library that can be exploited in a denial of service attack against any application linked to the library and may be exploitable to execute code.

Affected users should watch their vendor for updated packages.
masqmail

masqmail is a mail transfer agent designed for machines without a continuous Internet connection. masqmail has buffer overflows that can be exploited under some circumstances to execute code with root permissions.

Users should upgrade to a repaired version as soon as possible.
KDE telnet and rlogin

A flaw in the implementation of the KIO subsystem of KDE 2.1 and higher and KDE 3 to 3.0.4 can be exploited using a specially contrived URL in a KIO enabled application, HTML email, or HTML page to execute arbitrary commands on the system with the users permissions.

It is recommended that KDE 3 users upgrade to KDE 3.0.5 or apply patches to KDE 3.0.4. KDE 2 users unable to upgrade to KDE 3 should disable the telnet and rlogin KIO protocols.
FreeBSD Resolver Code

The resolver code in FreeBSD is used to query host names and IP addresses. It is vulnerable to several buffer overflows that may be exploitable in a remote denial of service attack.

Users should upgrade their system to FreeBSD 4.7-RELEASE or 4.7-STABLE. Users that choose not to upgrade should apply the appropriate patches and recompile any affected statically linked applications.

Windowmaker

Windowmaker, a popular X Window manager, has a buffer overflow in the code that handles showing images. Exploiting this buffer overflow could under some circumstances be used to execute code with the permissions of the user running Windowmaker.

It is recommended that users upgrade to Windowmaker version 0.80.2 or the CVS version as soon as possible.
Tiny HTTPd

Tiny HTTPd, a small web server, is vulnerable to a buffer overflow that can be used to execute code on the server with the permissions of the user running Tiny HTTPd and is also vulnerable to a bug that can be used to view arbitrary files on the server.

The last update to the sourceforge page for Tiny HTTPd was in April 2001. Users should consider looking for a web server that is being actively maintained.
Kgpg

A bug in Kgpg (a frontend to GnuPG) results in the creation of wizard generated secret keys that have empty passphrases. An empty passphrase in a secret key would allow any user that has access to your key file or physical access to the computer they are stored on to decrypt any file without the use of a key phrase.

It is possible to edit the secret keys and add a passphrase but it is recommended that any wizard generated keys be deleted and replaced. Users should also upgrade Kgpg to version 0.9.
squid

A number of security problems have been repaired in the web caching software Squid. Code that has been repaired includes code that parses FTP directory listings into HTML pages, Gopher client code, code dealing with the MSNT auth helper, code that deals with FTP data connections, and code that forwards proxy authentication credentials.

The Squid team recommends that users upgrade to version 2.4.STABLE7 of Squid.
Zeroo HTTP Server

The Zeroo HTTP server is vulnerable to a buffer overflow that can be used by a remote attacker to execute arbitrary code with the permissions of the user running the web server. A script to automate the exploitation of this vulnerability has been released.

Users should watch for an update that repairs this vulnerability.
UnixWare and OpenUnix talkd

The talk daemon supplied with UnixWare 7.1.1 and OpenUnix 8.0.0 is vulnerable to a remotely exploitable format string bug.