Security news roundup: October 31

Here's a collection of recent security vulnerabilities and alerts, which covers the release of Wordprses 2.3.1 which is a bug-fix and security release, multiple vulnerabilities in AIX, and a code injection vulnerability discovered in McAfee E-Business Server.

Here's a collection of recent security vulnerabilities and alerts covering the release of Wordpress 2.3.1, which is a bug-fix and security release; multiple vulnerabilities in AIX; and a code injection vulnerability discovered in McAfee E-Business Server.

  • New version of WordPress released

WordPress 2.3.1 is now available. 2.3.1 is a bug-fix and security release for the 2.3 series. Some notable issues resolved:

  • Tagging support for Windows Live Writer
  • Fixes for a login bug that affected those with a Blog Address different than their WordPress Address
  • Faster taxonomy database queries, especially tag intersection queries
  • Link importer fixes

Download WordPress 2.3.1 here.
  • Multiple vulnerabilities detected in AIX

Several security vulnerabilities allowing attackers to obtain root privileges in various versions of AIX have been discovered by security provider iDefense.

According to heise Security:

Most of the vulnerabilities are based on buffer overflows in the bellmail, FTP client, lquerypv, lqueryvg, dig and crontab system tools or applications. In each case, the SUID bit is set. Attackers who are logged into the system can use specially crafted arguments to trigger a buffer overflow, write arbitrary code into the stack, and execute it at root level when the tool or application is called. In addition, the swcons SUID tool allows arbitrary files to be accessed or created on a system.

Interim fixes have been released by IBM.
  • McAfee E-Business Server vulnerability

Secunia Research has discovered a vulnerability in McAfee E-Business Server, which can be exploited to perform a remote code injection leading up to a compromise.

According to the Secunia advisory:

The vulnerability is caused due to an integer overflow within the e-Business administration utility service when parsing authentication packets. This can be exploited to cause a heap-based buffer overflow via a specially crafted authentication packet with an overly large length value.

By Paul Mah

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.