+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | April 20th, 2001 Volume 2, Number 16a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas daveat_private benat_private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for samba, ctags, kernel, cfingerd, ipfilter, sudo, nedit, netscape, pine, openssh, and ntp. The vendors include Conectiva, Caldera, Debian, FreeBSD, Immunix, Mandrake, Red Hat, Progeny, SuSE, and Trustix. A pretty serious Samba vulnerability was described in multiple advisories. If you are currently using samba, please make sure your system gets updated. As always, please check all vulnerable packages. EnGarde Linux i386 Now Available! - Guardian Digital, Inc., the Open Source security company, has announced immediate availability of EnGarde Secure Linux for the i386 platform. http://www.engardelinux.org/download.html ### FREE Apache SSL Guide from Thawte ### Planning Web Server Security? Find out how to implement SSL! Get the free Thawte Apache SSL Guide and find the answers to all your Apache SSL security issues and more at: http://www.thawte.com/ucgi/gothawte.cgi?a=n342707510022000 HTML Version of Newsletter: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Conectiva | ----------------------------// +---------------------------------+ * Conectiva: 'kernel' vulnerabilities April 19th, 2001 Several vulnerabilities have been found in the GNU/Linux kernel versions prior to 2.2.19. It is possible for local users to obtain root privileges, modify kernel memory and even crash the machine. A full list of the security problems can be found at http://www.linux.org.uk/VERSION/relnotes.2219.html. PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1306.html * Conectiva: 'samba' vulnerability April 19th, 2001 Samba is a file server for Windows 9x/NT <-> Unix interoperability over the SMB protocol. Versions below 2.0.8 have a temporary file vulnerability which could be used by a remote attacker with a local account on the server to corrupt block devices such as a hard disk (/dev/hda). PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1307.html * Conectiva: 'netscape' javascript vulnerability April 17th, 2001 There is a vulnerability related to javascript in versions below 4.77 of Netscape that allow a remote webserver (which the user is accessing at a particular time) to, for example, obtain information about the client using the "about:" protocol, such as browser history (about:global) or even browser configuration (about:config). PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1293.html +---------------------------------+ | Caldera | ----------------------------// +---------------------------------+ * Caldera: 'samba' vulnerabilities April 18th, 2001 During our security audits we found several places within the Samba server code which could lead to a local attacker gaining root access. ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ samba-2.0.6-3 Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1299.html +---------------------------------+ | Debian | ----------------------------// +---------------------------------+ * Debian: 'cfingerd' vulnerability April 19th, 2001 Megyer Laszlo report on Bugtraq that the cfingerd Debian as distributed with Debian GNU/Linux 2.2 was not careful in its logging code. By combining this with an off-by-one error in the code that copied the username from an ident response cfingerd could exploited by a remote user. Since cfingerd does not drop its root privileges until after it has determined which user to finger an attacker can gain root privileges. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/cfingerd_1.4.1-1.1_i386.deb MD5 checksum: 6ef1f240c9ab6fa1e94143d020bd782e Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1300.html * Debian: [UPDATED] 'exuberant-ctags' vulnerability April 19th, 2001 The updated exuberant-ctags that was mentioned in DSA-046-1 was unfortunately compiled incorrectly: the stable chroot we used turned out to be running unstable instead. Sun Sparc architecture: http://security.debian.org/dists/stable/updates/main/ binary-sparc/exuberant-ctags_3.2.4-0.1.1_sparc.deb Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1301.html * Debian: [UPDATED] 'samba' vulnerabilities April 19th, 2001 The updated samba packages that were mentioned in DSA-048-1 were unfortunately compiled incorrectly: the stable chroot we used turned out to be running unstable instead. PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1302.html * Debian: 'samba' symlink attack April 17th, 2001 Marcus Meissner discovered that samba was not creating temporary files safely in two places. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ samba-common_2.0.7-3.2_i386.deb MD5 checksum: 28d1ca225b39dbba8e427c4a3ff4db5e http://security.debian.org/dists/stable/updates/main/binary-i386 /samba_2.0.7-3.2_i386.deb MD5 checksum: 624e9fc767b45fcaee386e83def462b0 http://security.debian.org/dists/stable/updates/main/binary-i386 /smbclient_2.0.7-3.2_i386.deb MD5 checksum: ad4b5f2da854a7d4a7224cb8f87eb4bc http://security.debian.org/dists/stable/updates/main/binary-i386 /smbfs_2.0.7-3.2_i386.deb MD5 checksum: 7d344d86f479417398a47c467b15202f http://security.debian.org/dists/stable/updates/main/binary-i386 /swat_2.0.7-3.2_i386.deb MD5 checksum: c488d0e582b63a47743943c53a8b94ec Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1295.html * Debian: 'exuberant-ctags' insecure temporary files April 15th, 2001 The updated exuberant-ctags that was mentioned in DSA-046-1 was unfortunately compiled incorrectly: the stable chroot we used turned out to be running unstable instead. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ exuberant-ctags_3.2.4-0.1_i386.deb MD5 checksum: 34d47b29d526d34b1b74701884201400 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1286.html * Debian: kernel vulnerabilities April 15th, 2001 The kernels used in Debian GNU/Linux 2.2 have been found to have multiple security problems. PLEASE SEE VENDOR ADVISORY PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1287.html +---------------------------------+ | FreeBSD | ----------------------------// +---------------------------------+ * FreeBSD: libc/ftpd glob() vulnerability April 17th, 2001 Remote users may be able to execute arbitrary code on the FTP server as the user running ftpd, usually root. The FTP daemon supplied with FreeBSD is enabled by default to allow access to authorized local users and not anonymous users, thus limiting the impact to authorized local users. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1294.html * FreeBSD: IPFilter may incorrectly pass packets April 16th, 2001 Malicious remote users may be able to bypass filtering rules, allowing them to potentially circumvent the firewall. IPFilter is not enabled by default. If you have not enabled IPFilter, your system is not vulnerable to this problem. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1288.html +---------------------------------+ | Immunix | ----------------------------// +---------------------------------+ * Immunix: 'samba' temp file vulnerability April 18th, 2001 Marcus Meissner has found a temp file race with the current versions of samba. This could allow any local malicious user to get administrator privileges on a machine running samba http://immunix.org/ImmunixOS/6.2/updates/RPMS/ samba-2.0.7-22_6.x_imnx_2.i386.rpm http://immunix.org/ImmunixOS/6.2/updates/RPMS/ samba-client-2.0.7-22_6.x_imnx_2.i386.rpm http://immunix.org/ImmunixOS/6.2/updates/RPMS/ samba-common-2.0.7-22_6.x_imnx_2.i386.rpm 8ceb6938ab236d53ea48e471204e7b6d samba-2.0.7-22_6.x_imnx_2.i386.rpm 9b4b2919ec8114e342fd363a882024fc samba-client-2.0.7-22_6.x_imnx_2.i386.rpm cc6b42cc017376ad602fd5bfed30f8cd samba-common-2.0.7-22_6.x_imnx_2.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1296.html * Immunix: 'pine' vulnerability April 17th, 2001 Versions of pine that shipped with Immunix 6.2, 7.0-beta, and 7.0 are vulnerable to temp file races which could allow malicious users to obtain root privileges. Precompiled binary package for Immunix 6.2 is available at: http://immunix.org/ImmunixOS/6.2/updates/RPMS/ pine-4.33-6.6x_StackGuard.i386.rpm a43ca7118fd2d59d3699bce8962435e6 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1289.html * Immunix: 'netscape' buffer overflow April 17th, 2001 Florian Wesch has found that Netscape versions prior to 4.77 are vulnerable to a buffer overflow bug in the way Netscape handles gif images (see http://www.securityfocus.com/archive/1/175060 for more information.) PLASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1290.html +---------------------------------+ | Mandrake | ----------------------------// +---------------------------------+ * Mandrake: 'kernel' vulnerabilities April 18th, 2001 A number of security problems have been found in the Linux kernels prior to the latest 2.2.19 kernel. Following is a list of problems based on the 2.2.19 release notes as found on http://www.linux.org.uk/ PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1297.html +---------------------------------+ | Red Hat | ----------------------------// +---------------------------------+ * Red Hat: 'kernel' vulnerability April 17th, 2001 All Linux kernels prior to version 2.2.19 include possibilities for local denial of service or root exploits by exercising race conditions between the ptrace, exec, and/or suid system calls. Additionally, the sysctl system call included programming errors allowing a user to write to kernel memory. The 2.2.19 kernel fixes these problems. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1292.html +---------------------------------+ | Progeny | ----------------------------// +---------------------------------+ * Progeny: 'samba' vulnerabilities April 18th, 2001 Local users can overwrite system files, causing corruption and potentially gaining root access. http://archive.progeny.com/progeny/updates/newton/ samba-common_2.0.7-3.2_i386.deb http://archive.progeny.com/progeny/updates/newton /samba_2.0.7-3.2_i386.deb http://archive.progeny.com/progeny/updates/newton/ smbclient_2.0.7-3.2_i386.deb samba-common_2.0.7-3.2_i386.deb 7eabad23b6c221ec3cb50e6b41a7de99 samba_2.0.7-3.2_i386.deb 36fbb1a508503bc9c0844b5f98f98264 smbclient_2.0.7-3.2_i386.deb fe8c68a7cf5499e2b665e5ac73aad3ac Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1305.html * Progeny: UPDATED ntp packages April 14th, 2001 Versions of the Network Time Protocol Daemon (ntpd) previous to and including 4.0.99k have a remote buffer overflow which may lead to a remote root exploit. http://archive.progeny.com/progeny/updates/newton/ ntp_4.0.99g-2.0progeny6_i386.deb 8ce73b29f7d4b77dda190c3b31c42255 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1285.html * Progeny: 'openssh' traffic analysis vulnerability April 13th, 2001 A number of security problems existed in previous versions of OpenSSH which would allow an attacker obtain sensitive information by passively monitoring the encrypted SSH (Secure Shell) sessions. http://archive.progeny.com/progeny/updates/newton/ ssh_2.5.2p2-0progeny1_i386.deb c64fdf411514850f3854a6395c5e178c Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1284.html +---------------------------------+ | SuSE | ----------------------------// +---------------------------------+ * SuSE: 'nedit' vulnerability April 19th, 2001 The Nirvana Editor, NEdit, is a GUI-style text editor based on popular Macintosh and MS Windows editors. When printing a whole text or selected parts of a text, nedit(1) creates a temporary file in an insecure manner. This behavior could be exploited to gain access to other users privileges, even root. SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/xap2/ nedit-5.1.1-151.i386.rpm 07efdf2fa5c475fcf40633d392d4ae1d Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1304.html * SuSE: 'sudo' vulnerability April 18th, 2001 The setuid application sudo(8) allows a user to execute commands under the privileges of another user (including root). sudo(8) previous to version 1.6.3p6 is vulnerable by a buffer overflow in it's logging code, which could lead to local root compromise. SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/ap1/s udo-1.6.3p6-3.i386.rpm b0d658c98effd4e11bed6d8c1f5f80f9 http://www.linuxsecurity.com/advisories/suse_advisory-1303.html +---------------------------------+ | Trustix | ----------------------------// +---------------------------------+ * Trustix: 'samba' vulnerability April 18th, 2001 Samba up to version 2.0.7 uses mktemp(3) for creation of temporary files. This allows malicious local users to alter contents of other files on the system, and potentially gain superuser privileges. PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1298.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-requestat_private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERVat_private with a message body of "SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 02:08:36 PDT