+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| April 20th, 2001 Volume 2, Number 16a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for samba, ctags, kernel,
cfingerd, ipfilter, sudo, nedit, netscape, pine, openssh, and ntp.
The vendors include Conectiva, Caldera, Debian, FreeBSD, Immunix,
Mandrake, Red Hat, Progeny, SuSE, and Trustix. A pretty serious
Samba vulnerability was described in multiple advisories. If you are
currently using samba, please make sure your system gets updated. As
always, please check all vulnerable packages.
EnGarde Linux i386 Now Available! - Guardian Digital, Inc., the Open
Source security company, has announced immediate availability of
EnGarde Secure Linux for the i386 platform.
http://www.engardelinux.org/download.html
### FREE Apache SSL Guide from Thawte ###
Planning Web Server Security? Find out how to implement SSL! Get the
free Thawte Apache SSL Guide and find the answers to all your Apache
SSL security issues and more at:
http://www.thawte.com/ucgi/gothawte.cgi?a=n342707510022000
HTML Version of Newsletter:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| Conectiva | ----------------------------//
+---------------------------------+
* Conectiva: 'kernel' vulnerabilities
April 19th, 2001
Several vulnerabilities have been found in the GNU/Linux kernel
versions prior to 2.2.19. It is possible for local users to obtain
root privileges, modify kernel memory and even crash the machine. A
full list of the security problems can be found at
http://www.linux.org.uk/VERSION/relnotes.2219.html.
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1306.html
* Conectiva: 'samba' vulnerability
April 19th, 2001
Samba is a file server for Windows 9x/NT <-> Unix interoperability
over the SMB protocol. Versions below 2.0.8 have a temporary file
vulnerability which could be used by a remote attacker with a local
account on the server to corrupt block devices such as a hard disk
(/dev/hda).
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1307.html
* Conectiva: 'netscape' javascript vulnerability
April 17th, 2001
There is a vulnerability related to javascript in versions below 4.77
of Netscape that allow a remote webserver (which the user is
accessing at a particular time) to, for example, obtain information
about the client using the "about:" protocol, such as browser history
(about:global) or even browser configuration (about:config).
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1293.html
+---------------------------------+
| Caldera | ----------------------------//
+---------------------------------+
* Caldera: 'samba' vulnerabilities
April 18th, 2001
During our security audits we found several places within the Samba
server code which could lead to a local attacker gaining root access.
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
samba-2.0.6-3
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1299.html
+---------------------------------+
| Debian | ----------------------------//
+---------------------------------+
* Debian: 'cfingerd' vulnerability
April 19th, 2001
Megyer Laszlo report on Bugtraq that the cfingerd Debian as
distributed with Debian GNU/Linux 2.2 was not careful in its logging
code. By combining this with an off-by-one error in the code that
copied the username from an ident response cfingerd could exploited
by a remote user. Since cfingerd does not drop its root privileges
until after it has determined which user to finger an attacker can
gain root privileges.
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/cfingerd_1.4.1-1.1_i386.deb
MD5 checksum: 6ef1f240c9ab6fa1e94143d020bd782e
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1300.html
* Debian: [UPDATED] 'exuberant-ctags' vulnerability
April 19th, 2001
The updated exuberant-ctags that was mentioned in DSA-046-1 was
unfortunately compiled incorrectly: the stable chroot we used turned
out to be running unstable instead.
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/main/
binary-sparc/exuberant-ctags_3.2.4-0.1.1_sparc.deb
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1301.html
* Debian: [UPDATED] 'samba' vulnerabilities
April 19th, 2001
The updated samba packages that were mentioned in DSA-048-1 were
unfortunately compiled incorrectly: the stable chroot we used turned
out to be running unstable instead.
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1302.html
* Debian: 'samba' symlink attack
April 17th, 2001
Marcus Meissner discovered that samba was not creating temporary
files safely in two places.
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/
samba-common_2.0.7-3.2_i386.deb
MD5 checksum: 28d1ca225b39dbba8e427c4a3ff4db5e
http://security.debian.org/dists/stable/updates/main/binary-i386
/samba_2.0.7-3.2_i386.deb
MD5 checksum: 624e9fc767b45fcaee386e83def462b0
http://security.debian.org/dists/stable/updates/main/binary-i386
/smbclient_2.0.7-3.2_i386.deb
MD5 checksum: ad4b5f2da854a7d4a7224cb8f87eb4bc
http://security.debian.org/dists/stable/updates/main/binary-i386
/smbfs_2.0.7-3.2_i386.deb
MD5 checksum: 7d344d86f479417398a47c467b15202f
http://security.debian.org/dists/stable/updates/main/binary-i386
/swat_2.0.7-3.2_i386.deb
MD5 checksum: c488d0e582b63a47743943c53a8b94ec
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1295.html
* Debian: 'exuberant-ctags' insecure temporary files
April 15th, 2001
The updated exuberant-ctags that was mentioned in DSA-046-1 was
unfortunately compiled incorrectly: the stable chroot we used turned
out to be running unstable instead.
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/
exuberant-ctags_3.2.4-0.1_i386.deb
MD5 checksum: 34d47b29d526d34b1b74701884201400
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1286.html
* Debian: kernel vulnerabilities
April 15th, 2001
The kernels used in Debian GNU/Linux 2.2 have been found to have
multiple security problems. PLEASE SEE VENDOR ADVISORY
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1287.html
+---------------------------------+
| FreeBSD | ----------------------------//
+---------------------------------+
* FreeBSD: libc/ftpd glob() vulnerability
April 17th, 2001
Remote users may be able to execute arbitrary code on the FTP server
as the user running ftpd, usually root. The FTP daemon supplied with
FreeBSD is enabled by default to allow access to authorized local
users and not anonymous users, thus limiting the impact to authorized
local users.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1294.html
* FreeBSD: IPFilter may incorrectly pass packets
April 16th, 2001
Malicious remote users may be able to bypass filtering rules,
allowing them to potentially circumvent the firewall. IPFilter is not
enabled by default. If you have not enabled IPFilter, your system is
not vulnerable to this problem.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1288.html
+---------------------------------+
| Immunix | ----------------------------//
+---------------------------------+
* Immunix: 'samba' temp file vulnerability
April 18th, 2001
Marcus Meissner has found a temp file race with the current versions
of samba. This could allow any local malicious user to get
administrator privileges on a machine running samba
http://immunix.org/ImmunixOS/6.2/updates/RPMS/
samba-2.0.7-22_6.x_imnx_2.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/
samba-client-2.0.7-22_6.x_imnx_2.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/RPMS/
samba-common-2.0.7-22_6.x_imnx_2.i386.rpm
8ceb6938ab236d53ea48e471204e7b6d
samba-2.0.7-22_6.x_imnx_2.i386.rpm
9b4b2919ec8114e342fd363a882024fc
samba-client-2.0.7-22_6.x_imnx_2.i386.rpm
cc6b42cc017376ad602fd5bfed30f8cd
samba-common-2.0.7-22_6.x_imnx_2.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1296.html
* Immunix: 'pine' vulnerability
April 17th, 2001
Versions of pine that shipped with Immunix 6.2, 7.0-beta, and 7.0 are
vulnerable to temp file races which could allow malicious users to
obtain root privileges.
Precompiled binary package for Immunix 6.2 is available at:
http://immunix.org/ImmunixOS/6.2/updates/RPMS/
pine-4.33-6.6x_StackGuard.i386.rpm
a43ca7118fd2d59d3699bce8962435e6
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1289.html
* Immunix: 'netscape' buffer overflow
April 17th, 2001
Florian Wesch has found that Netscape versions prior to 4.77 are
vulnerable to a buffer overflow bug in the way Netscape handles gif
images (see http://www.securityfocus.com/archive/1/175060 for more
information.)
PLASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1290.html
+---------------------------------+
| Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: 'kernel' vulnerabilities
April 18th, 2001
A number of security problems have been found in the Linux kernels
prior to the latest 2.2.19 kernel. Following is a list of problems
based on the 2.2.19 release notes as found on
http://www.linux.org.uk/
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1297.html
+---------------------------------+
| Red Hat | ----------------------------//
+---------------------------------+
* Red Hat: 'kernel' vulnerability
April 17th, 2001
All Linux kernels prior to version 2.2.19 include possibilities for
local denial of service or root exploits by exercising race
conditions between the ptrace, exec, and/or suid system calls.
Additionally, the sysctl system call included programming errors
allowing a user to write to kernel memory. The 2.2.19 kernel fixes
these problems.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1292.html
+---------------------------------+
| Progeny | ----------------------------//
+---------------------------------+
* Progeny: 'samba' vulnerabilities
April 18th, 2001
Local users can overwrite system files, causing corruption and
potentially gaining root access.
http://archive.progeny.com/progeny/updates/newton/
samba-common_2.0.7-3.2_i386.deb
http://archive.progeny.com/progeny/updates/newton
/samba_2.0.7-3.2_i386.deb
http://archive.progeny.com/progeny/updates/newton/
smbclient_2.0.7-3.2_i386.deb
samba-common_2.0.7-3.2_i386.deb
7eabad23b6c221ec3cb50e6b41a7de99
samba_2.0.7-3.2_i386.deb
36fbb1a508503bc9c0844b5f98f98264
smbclient_2.0.7-3.2_i386.deb
fe8c68a7cf5499e2b665e5ac73aad3ac
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1305.html
* Progeny: UPDATED ntp packages
April 14th, 2001
Versions of the Network Time Protocol Daemon (ntpd) previous to and
including 4.0.99k have a remote buffer overflow which may lead to a
remote root exploit.
http://archive.progeny.com/progeny/updates/newton/
ntp_4.0.99g-2.0progeny6_i386.deb
8ce73b29f7d4b77dda190c3b31c42255
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1285.html
* Progeny: 'openssh' traffic analysis vulnerability
April 13th, 2001
A number of security problems existed in previous versions of OpenSSH
which would allow an attacker obtain sensitive information by
passively monitoring the encrypted SSH (Secure Shell) sessions.
http://archive.progeny.com/progeny/updates/newton/
ssh_2.5.2p2-0progeny1_i386.deb
c64fdf411514850f3854a6395c5e178c
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1284.html
+---------------------------------+
| SuSE | ----------------------------//
+---------------------------------+
* SuSE: 'nedit' vulnerability
April 19th, 2001
The Nirvana Editor, NEdit, is a GUI-style text editor based on
popular Macintosh and MS Windows editors. When printing a whole text
or selected parts of a text, nedit(1) creates a temporary file in an
insecure manner. This behavior could be exploited to gain access to
other users privileges, even root.
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/xap2/
nedit-5.1.1-151.i386.rpm
07efdf2fa5c475fcf40633d392d4ae1d
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1304.html
* SuSE: 'sudo' vulnerability
April 18th, 2001
The setuid application sudo(8) allows a user to execute commands
under the privileges of another user (including root). sudo(8)
previous to version 1.6.3p6 is vulnerable by a buffer overflow in
it's logging code, which could lead to local root compromise.
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/ap1/s
udo-1.6.3p6-3.i386.rpm
b0d658c98effd4e11bed6d8c1f5f80f9
http://www.linuxsecurity.com/advisories/suse_advisory-1303.html
+---------------------------------+
| Trustix | ----------------------------//
+---------------------------------+
* Trustix: 'samba' vulnerability
April 18th, 2001
Samba up to version 2.0.7 uses mktemp(3) for creation of temporary
files. This allows malicious local users to alter contents of other
files on the system, and potentially gain superuser privileges.
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1298.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 02:08:36 PDT