A flaw in the popular ProFTPD FTP server potentially allows unauthenticated attackers to compromise a server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences, which won't be an issue if you are using a state of the art host as recommended in theses Hostgator reviews.

ProFTPD is capable of processing TELNET IAC sequences on port 21; the sequences enable or disable certain options not supported by the Telnet or FTP protocol itself. The buffer overflow allows attackers to write arbitrary code to the application’s stack and launch it. Updating to version 1.3.3c of ProFTPD solves the problem.

Read more at H-online

Popularity: 18% [?]

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.17 of the Apache HTTP
Server (“Apache”). This version of Apache is principally a bug fix
release, and a security fix release of the APR-util 1.3.10 dependency;

* SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against apr_brigade_split_line().

* SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
Fix two buffer over-read flaws in the bundled copy of expat which
could cause httpd to crash while parsing specially-crafted
XML documents.

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.2.17 is available for download from:


Apache HTTP Server 2.0.64 legacy release is also currently available,
with the same vulnerability correction as well as many others fixed in
2.2.16 and earlier releases. See the corresponding CHANGES files linked
from the download page. The Apache HTTP Project developers strongly
encourage all users to migrate to Apache 2.2, as only limited and less
frequent maintenance is provided for legacy versions.

Apache 2.2 offers numerous enhancements, improvements, and performance
boosts over the 2.0 codebase. For an overview of new features
introduced since 2.0 please see:


Please see the CHANGES_2.2 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.2.17 provides the
complete list of changes since 2.2.16. A summary of all of the security
vulnerabilities addressed in this and earlier releases is available:


This release includes the Apache Portable Runtime (APR) version 1.4.2
and APR Utility Library (APR-util) version 1.3.10, bundled with the tar
and zip distributions. The APR libraries libapr and libaprutil (and
on Win32, libapriconv version 1.2.1) must all be updated to ensure
binary compatibility and address many known security and platform bugs.

This release builds on and extends the Apache 2.0 API. Modules written
for Apache 2.0 will need to be recompiled in order to run with Apache
2.2, and require minimal or no source code changes.


When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.

Popularity: 44% [?]

TurnKey Website Arrives!

Today I am very excited to be able to announce our newest software-as-a-service solution: TurnKey Website! TurnKey Website is an easy-to-use website builder that will save businesses thousands of dollars in web design costs. It includes over 1,000 different design templates you can completely customize in minutes. It also comes with tons of web applications (like blog, SitePal, image gallery, guestbook, forum, feedback, RSS reader and more), traffic reports, a free domain name AND ecommerce shop pages! Of course, all of this is backed by our world-class 24×7 support.

But I’ve Never Made a Website Before!
For those of you who may feel a little bit timid about leaping into designing your own company website, I completely understand where you’re coming from. As a former small business owner myself, I remember feeling completely overwhelmed by both the cost of hiring a designer, and the steep learning curve of figuring out how to do it myself. I ended up spending many hours that I didn’t really have to design my site. In the end it was functional, but it wasn’t pretty, and my company’s reputation suffered. If I had had TurnKey Website back then, who knows how my business would have done!

Video Tutorials
If you have never used a website builder before, you will probably benefit from watching our short tutorials that demonstrate the software and illustrate, quickly and easily, how you can use it to build your own business website. Everything in TurnKey Website is customizable. You pick colors, include your logo and edit all the text. If you watch the tutorials and follow the easy step-by-step instructions, you will be amazed how much functionality you suddenly find at your fingertips.

The Highest Quality: Professional Results Every Time
The first time I tried TurnKey Website, I was shocked by the quality of the templates. They look extremely professional—in fact, many “professional” designers use similar templates for their projects—projects that bring in thousands of dollars for the designers. The only difference between those designers and you is that they know how to use the software! To be fair, a lot of the web design software out there is extremely convoluded and confusing, and it’s worth it to hire an expert—figuring it out yourself would be worth the money, and more! But TurnKey Website isn’t hard to figure out. It makes sense! In fact, you could learn it in 30 minutes and then turn around and sell your design services to the next guy! Seriously. It’s that easy and that good.

And There’s More
Beyond just the design of your website, TurnKey Website includes tons of added programs to build your online presence—from ecommerce tools to images, from blogging to flash intro pages. Once you understand the basics, you can set up an online store in minutes, and start taking credit card payments right away.

Give it a Shot
Try TurnKey Website today and we know you will be amazed with what you can do, and super pleased by the price tag (only $7.95/month). And with our free 30-day money back guarantee, you have everything to gain and nothing to lose. How often does that happen?

Popularity: 27% [?]

[Dovecot-news] v1.2.15 released


See the “ACL handling bugs” message for more details about the ACL
merging bug.

* acl: Fixed the logic of merging multiple ACL entries. Now it works as
documented, while previously it could have done slightly different
things depending on the order of the entries.

* acl: Don’t give admin rights to all owner mailboxes. This was
originally done to make sure that mailbox owner couldn’t accidentally
remove their own admin rights. But this is already prevented by
SETACL command, so it’s not necessary. Also sysadmin may have
intentionally removed some admin rights from some mailboxes
(especially when using symlinked shared mailboxes).

- Maildir: Fixed potential “Duplicate file entry” in dovecot-uidlist
file errors.
- Maildir: Avoid unnecessary uidlist recreation during mail delivery.
- imap: When SELECT fails, it didn’t close the previous mailbox.
- Dovecot master process could have died if it got SIGCHLD signals
very rapidly while it was trying to log. This could have happened
for example if a lot of imap/pop3 sessions disconnected at the exact
same time.

Popularity: 20% [?]

Zerimar points out that a significant flaw in Apache that can lead to a fairly trivial DoS attack is in the wild. Apache 1.x, 2.x, dhttpd, GoAhead WebServer, and Squid are confirmed vulnerable, while IIS6.0, IIS7.0, and lighttpd are confirmed not vulnerable. As of this writing, Apache Foundation does not have a patch available. From Rsnake’s introduction to the attack tool:

Read more at Slashdot

Popularity: 30% [?]

The PHP development team would like to announce the immediate availability of PHP 5.2.10. This release focuses on improving the stability of the PHP 5.2.x branch with over 100 bug fixes, one of which is security related. All users of PHP are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.10:

  • Fixed bug #48378 (exif_read_data() segfaults on certain corrupted .jpeg files). (Pierre)

Key enhancements in PHP 5.2.10 include:

  • Added “ignore_errors” option to http fopen wrapper. (David Zulke, Sara)
  • Fixed memory corruptions while reading properties of zip files. (Ilia)
  • Fixed memory leak in ob_get_clean/ob_get_flush. (Christian)
  • Fixed segfault on invalid session.save_path. (Hannes)
  • Fixed leaks in imap when a mail_criteria is used. (Pierre)
  • Changed default value of array_unique()’s optional sorting type parameter back to SORT_STRING to fix backwards compatibility breakage introduced in PHP 5.2.9. (Moriyoshi)
  • Fixed bug #47940 (memory leaks in imap_body). (Pierre, Jake Levitt)
  • Fixed bug #47903 (“@” operator does not work with string offsets). (Felipe)
  • Fixed bug #47644 (Valid integers are truncated with json_decode()). (Scott)
  • Fixed bug #47564 (unpacking unsigned long 32bit big endian returns wrong result). (Ilia)
  • Fixed bug #47365 (ip2long() may allow some invalid values on certain 64bit systems).
  • Over 100 bug fixes.

For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.10.

For a full list of changes in PHP 5.2.10, see the ChangeLog.

Popularity: 36% [?]

« Previous posts Back to top