[ISN] Linux Advisory Watch - April 20th 2001

From: vuln-newsletter-adminsat_private
Date: Thu Apr 19 2001 - 22:30:29 PDT

  • Next message: InfoSec News: "[ISN] Cashing in on Vaporware"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                      Linux  Advisory Watch  |
    |  April 20th, 2001                        Volume 2, Number 16a  |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                  Benjamin Thomas
                   daveat_private       benat_private
    
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the
    week. It includes pointers to updated packages and descriptions of
    each vulnerability.
    
    This week, advisories were released for samba, ctags, kernel,
    cfingerd, ipfilter, sudo, nedit, netscape, pine, openssh, and ntp.
    The vendors include Conectiva, Caldera, Debian, FreeBSD, Immunix,
    Mandrake, Red Hat, Progeny, SuSE, and Trustix. A pretty serious
    Samba vulnerability was described in multiple advisories.  If you are
    currently using samba, please make sure your system gets updated.  As
    always, please check all vulnerable packages.
    
    EnGarde Linux i386 Now Available! - Guardian Digital, Inc., the Open
    Source security company, has announced immediate availability of
    EnGarde Secure Linux for the i386 platform.
    
    http://www.engardelinux.org/download.html
    
    
    
    ### FREE Apache SSL Guide from Thawte ###
    
    Planning Web Server Security? Find out how to implement SSL! Get the
    free Thawte Apache SSL Guide and find the answers to all your Apache
    SSL security issues and more at:
    
    http://www.thawte.com/ucgi/gothawte.cgi?a=n342707510022000
    
    
    HTML Version of Newsletter:
    http://www.linuxsecurity.com/vuln-newsletter.html
    
    
    +---------------------------------+
    | Installing a new package:       | ------------------------------//
    +---------------------------------+
    
    # rpm -Uvh
    # dpkg -i
    
    Packages can be installed easily by using rpm (Red Hat Package
    Manager) or dpkg (Debian Package Manager). Most advisories
    issued by vendors are packaged in either an rpm or dpkg.
    Additional installation instructions can be found in the body
    of the Advisories.
    
    +---------------------------------+
    | Checking Package Integrity:     | -----------------------------//
    +---------------------------------+
    
    The md5sum command is used to compute a 128-bit fingerprint that is
    strongly dependant upon the contents of the file to which it is
    applied. It can be used to compare against a previously-generated
    sum to determine whether the file has changed. It is commonly used
    to ensure the integrity of updated packages distributed by a vendor.
    
    
    # md5sum
    ebf0d4a0d236453f63a797ea20f0758b
    
    The string of numbers can then be compared against the MD5 checksum
    published by the packager. While it does not take into account the
    possibility that the same person that may have modified a package
    also may have modified the published checksum, it is especially
    useful for establishing a great deal of assurance in the integrity
    of a package before installing
    
    
    
    +---------------------------------+
    |   Conectiva                     | ----------------------------//
    +---------------------------------+
    
    
    * Conectiva:  'kernel' vulnerabilities
    April 19th, 2001
    
    Several vulnerabilities have been found in the GNU/Linux kernel
    versions prior to 2.2.19. It is possible for local users to obtain
    root privileges, modify kernel memory and even crash the machine. A
    full list of the security problems can be found at
    http://www.linux.org.uk/VERSION/relnotes.2219.html.
    
     PLEASE SEE VENDOR ADVISORY
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1306.html
    
    
    
    * Conectiva:  'samba' vulnerability
    April 19th, 2001
    
    Samba is a file server for Windows 9x/NT <-> Unix interoperability
    over the SMB protocol. Versions below 2.0.8 have a temporary file
    vulnerability which could be used by a remote attacker with a local
    account on the server to corrupt block devices such as a hard disk
    (/dev/hda).
    
     PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1307.html
    
    
    
    * Conectiva:  'netscape' javascript vulnerability
    April 17th, 2001
    
    There is a vulnerability related to javascript in versions below 4.77
    of Netscape that allow a remote webserver (which the user is
    accessing at a particular time) to, for example, obtain information
    about the client using the "about:" protocol, such as browser history
    (about:global) or even browser configuration (about:config).
    
     PLEASE SEE VENDOR ADVISORY
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1293.html
    
    
    
    
    
    +---------------------------------+
    |   Caldera                       | ----------------------------//
    +---------------------------------+
    
    * Caldera:  'samba' vulnerabilities
    April 18th, 2001
    
    During our security audits we found several places within the Samba
    server code which could lead to a local attacker gaining root access.
    
     ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
     samba-2.0.6-3
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/caldera_advisory-1299.html
    
    
    
    +---------------------------------+
    |   Debian                        | ----------------------------//
    +---------------------------------+
    
    
    
    * Debian:  'cfingerd' vulnerability
    April 19th, 2001
    
    Megyer Laszlo report on Bugtraq that the cfingerd Debian as
    distributed with Debian GNU/Linux 2.2 was not careful in its logging
    code. By combining this with an off-by-one error in the code that
    copied the username from an ident response cfingerd could exploited
    by a remote user. Since cfingerd does not drop its root privileges
    until after it has determined which user to finger an attacker can
    gain root privileges.
    
     Intel ia32 architecture:
     http://security.debian.org/dists/stable/updates/main/
     binary-i386/cfingerd_1.4.1-1.1_i386.deb
     MD5 checksum: 6ef1f240c9ab6fa1e94143d020bd782e
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/debian_advisory-1300.html
    
    
    
    * Debian: [UPDATED] 'exuberant-ctags' vulnerability
    April 19th, 2001
    
    The updated exuberant-ctags that was mentioned in DSA-046-1 was
    unfortunately compiled incorrectly: the stable chroot we used turned
    out to be running unstable instead.
    
     Sun Sparc architecture:
     http://security.debian.org/dists/stable/updates/main/
     binary-sparc/exuberant-ctags_3.2.4-0.1.1_sparc.deb
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/debian_advisory-1301.html
    
    
    
    
    * Debian:  [UPDATED] 'samba' vulnerabilities
    April 19th, 2001
    
    The updated samba packages that were mentioned in DSA-048-1 were
    unfortunately compiled incorrectly: the stable chroot we used turned
    out to be running unstable instead.
    
     PLEASE SEE VENDOR ADVISORY
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/debian_advisory-1302.html
    
    
    
    
    
    
    * Debian: 'samba' symlink attack
    April 17th, 2001
    
    Marcus Meissner discovered that samba was not creating temporary
    files safely in two places.
    
     Intel ia32 architecture:
     http://security.debian.org/dists/stable/updates/main/binary-i386/
     samba-common_2.0.7-3.2_i386.deb
     MD5 checksum: 28d1ca225b39dbba8e427c4a3ff4db5e
    
     http://security.debian.org/dists/stable/updates/main/binary-i386
     /samba_2.0.7-3.2_i386.deb
     MD5 checksum: 624e9fc767b45fcaee386e83def462b0
    
     http://security.debian.org/dists/stable/updates/main/binary-i386
     /smbclient_2.0.7-3.2_i386.deb
     MD5 checksum: ad4b5f2da854a7d4a7224cb8f87eb4bc
    
     http://security.debian.org/dists/stable/updates/main/binary-i386
     /smbfs_2.0.7-3.2_i386.deb
     MD5 checksum: 7d344d86f479417398a47c467b15202f
    
     http://security.debian.org/dists/stable/updates/main/binary-i386
     /swat_2.0.7-3.2_i386.deb
     MD5 checksum: c488d0e582b63a47743943c53a8b94ec
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/debian_advisory-1295.html
    
    
    
    
    * Debian: 'exuberant-ctags' insecure temporary files
    April 15th, 2001
    
    The updated exuberant-ctags that was mentioned in DSA-046-1 was
    unfortunately compiled incorrectly: the stable chroot we used turned
    out to be running unstable instead.
    
     Intel ia32 architecture:
     http://security.debian.org/dists/stable/updates/main/binary-i386/
     exuberant-ctags_3.2.4-0.1_i386.deb
     MD5 checksum: 34d47b29d526d34b1b74701884201400
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/debian_advisory-1286.html
    
    
    
    * Debian: kernel vulnerabilities
    April 15th, 2001
    
    The kernels used in Debian GNU/Linux 2.2 have been found to have
    multiple security problems. PLEASE SEE VENDOR ADVISORY
    
     PLEASE SEE VENDOR ADVISORY
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/debian_advisory-1287.html
    
    
    
    
    
    +---------------------------------+
    |   FreeBSD                       | ----------------------------//
    +---------------------------------+
    
    
    
    * FreeBSD:  libc/ftpd glob() vulnerability
    April 17th, 2001
    
    Remote users may be able to execute arbitrary code on the FTP server
    as the user running ftpd, usually root. The FTP daemon supplied with
    FreeBSD is enabled by default to allow access to authorized local
    users and not anonymous users, thus limiting the impact to authorized
    local users.
    
     ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/freebsd_advisory-1294.html
    
    
    
    * FreeBSD: IPFilter may incorrectly pass packets
    April 16th, 2001
    
    Malicious remote users may be able to bypass filtering rules,
    allowing them to potentially circumvent the firewall. IPFilter is not
    enabled by default. If you have not enabled IPFilter, your system is
    not vulnerable to this problem.
    
     ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/freebsd_advisory-1288.html
    
    
    
    
    +---------------------------------+
    |   Immunix                       | ----------------------------//
    +---------------------------------+
    
    
    * Immunix:  'samba' temp file vulnerability
    April 18th, 2001
    
    Marcus Meissner has found a temp file race with the current versions
    of samba. This could allow any local malicious user to get
    administrator privileges on a machine running samba
    
     http://immunix.org/ImmunixOS/6.2/updates/RPMS/
     samba-2.0.7-22_6.x_imnx_2.i386.rpm
    
     http://immunix.org/ImmunixOS/6.2/updates/RPMS/
     samba-client-2.0.7-22_6.x_imnx_2.i386.rpm
    
     http://immunix.org/ImmunixOS/6.2/updates/RPMS/
     samba-common-2.0.7-22_6.x_imnx_2.i386.rpm
    
     8ceb6938ab236d53ea48e471204e7b6d
     samba-2.0.7-22_6.x_imnx_2.i386.rpm
    
     9b4b2919ec8114e342fd363a882024fc
     samba-client-2.0.7-22_6.x_imnx_2.i386.rpm
    
     cc6b42cc017376ad602fd5bfed30f8cd
     samba-common-2.0.7-22_6.x_imnx_2.i386.rpm
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1296.html
    
    
    
    * Immunix:  'pine' vulnerability
    April 17th, 2001
    
    Versions of pine that shipped with Immunix 6.2, 7.0-beta, and 7.0 are
    vulnerable to temp file races which could allow malicious users to
    obtain root privileges.
    
     Precompiled binary package for Immunix 6.2 is available at:
     http://immunix.org/ImmunixOS/6.2/updates/RPMS/
    
     pine-4.33-6.6x_StackGuard.i386.rpm
     a43ca7118fd2d59d3699bce8962435e6
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1289.html
    
    
    
    
    * Immunix:  'netscape' buffer overflow
    April 17th, 2001
    
    Florian Wesch has found that Netscape versions prior to 4.77 are
    vulnerable to a buffer overflow bug in the way Netscape handles gif
    images (see http://www.securityfocus.com/archive/1/175060 for more
    information.)
    
     PLASE SEE VENDOR ADVISORY FOR UPDATE
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1290.html
    
    
    
    
    +---------------------------------+
    |   Mandrake                      | ----------------------------//
    +---------------------------------+
    
    
    * Mandrake:  'kernel' vulnerabilities
    April 18th, 2001
    
    A number of security problems have been found in the Linux kernels
    prior to the latest 2.2.19 kernel. Following is a list of problems
    based on the 2.2.19 release notes as found on
    http://www.linux.org.uk/
    
     PLEASE SEE VENDOR ADVISORY
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/mandrake_advisory-1297.html
    
    
    
    +---------------------------------+
    |   Red Hat                       | ----------------------------//
    +---------------------------------+
    
    
    * Red Hat:  'kernel' vulnerability
    April 17th, 2001
    
    All Linux kernels prior to version 2.2.19 include possibilities for
    local denial of service or root exploits by exercising race
    conditions between the ptrace, exec, and/or suid system calls.
    Additionally, the sysctl system call included programming errors
    allowing a user to write to kernel memory. The 2.2.19 kernel fixes
    these problems.
    
     PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/redhat_advisory-1292.html
    
    
    
    
    +---------------------------------+
    |   Progeny                       | ----------------------------//
    +---------------------------------+
    
    
    * Progeny:  'samba' vulnerabilities
    April 18th, 2001
    
    Local users can overwrite system files, causing corruption and
    potentially gaining root access.
    
     http://archive.progeny.com/progeny/updates/newton/
     samba-common_2.0.7-3.2_i386.deb
    
     http://archive.progeny.com/progeny/updates/newton
     /samba_2.0.7-3.2_i386.deb
    
     http://archive.progeny.com/progeny/updates/newton/
     smbclient_2.0.7-3.2_i386.deb
    
     samba-common_2.0.7-3.2_i386.deb
     7eabad23b6c221ec3cb50e6b41a7de99
    
     samba_2.0.7-3.2_i386.deb
     36fbb1a508503bc9c0844b5f98f98264
    
     smbclient_2.0.7-3.2_i386.deb
     fe8c68a7cf5499e2b665e5ac73aad3ac
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1305.html
    
    
    
    
    * Progeny:  UPDATED ntp packages
    April 14th, 2001
    
    Versions of the Network Time Protocol Daemon (ntpd) previous to and
    including 4.0.99k have a remote buffer overflow which may lead to a
    remote root exploit.
    
     http://archive.progeny.com/progeny/updates/newton/
     ntp_4.0.99g-2.0progeny6_i386.deb
     8ce73b29f7d4b77dda190c3b31c42255
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1285.html
    
    
    
    
    * Progeny:  'openssh' traffic analysis vulnerability
    April 13th, 2001
    
    A number of security problems existed in previous versions of OpenSSH
    which would allow an attacker obtain sensitive information by
    passively monitoring the encrypted SSH (Secure Shell) sessions.
    
     http://archive.progeny.com/progeny/updates/newton/
     ssh_2.5.2p2-0progeny1_i386.deb
     c64fdf411514850f3854a6395c5e178c
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1284.html
    
    
    
    
    +---------------------------------+
    |   SuSE                          | ----------------------------//
    +---------------------------------+
    
    
    * SuSE:  'nedit' vulnerability
    April 19th, 2001
    
    The Nirvana Editor, NEdit, is a GUI-style text editor based on
    popular Macintosh and MS Windows editors. When printing a whole text
    or selected parts of a text, nedit(1) creates a temporary file in an
    insecure manner. This behavior could be exploited to gain access to
    other users privileges, even root.
    
     SuSE-7.1
    
     ftp://ftp.suse.com/pub/suse/i386/update/7.1/xap2/
     nedit-5.1.1-151.i386.rpm
     07efdf2fa5c475fcf40633d392d4ae1d
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/suse_advisory-1304.html
    
    
    
    
    * SuSE:  'sudo' vulnerability
    April 18th, 2001
    
    The setuid application sudo(8) allows a user to execute commands
    under the privileges of another user (including root). sudo(8)
    previous to version 1.6.3p6 is vulnerable by a buffer overflow in
    it's logging code, which could lead to local root compromise.
    
     SuSE-7.1
    
     ftp://ftp.suse.com/pub/suse/i386/update/7.1/ap1/s
     udo-1.6.3p6-3.i386.rpm
     b0d658c98effd4e11bed6d8c1f5f80f9
    
    
     http://www.linuxsecurity.com/advisories/suse_advisory-1303.html
    
    
    
    +---------------------------------+
    |   Trustix                       | ----------------------------//
    +---------------------------------+
    
    
    * Trustix:  'samba' vulnerability
    April 18th, 2001
    
    Samba up to version 2.0.7 uses mktemp(3) for creation of temporary
    files. This allows malicious local users to alter contents of other
    files on the system, and potentially gain superuser privileges.
    
     PLEASE SEE VENDOR ADVISORY
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1298.html
    
    
    
    
    
    
    
    
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 02:08:36 PDT