[ISN] Linux Advisory Watch - April 27th 2001

From: vuln-newsletter-adminsat_private
Date: Thu Apr 26 2001 - 21:27:12 PDT

  • Next message: William Knowles: "[ISN] Warning Issued About China Hackers"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                      Linux  Advisory Watch  |
    |  April 27th, 2001                        Volume 2, Number 17a  |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                  Benjamin Thomas
                   daveat_private       benat_private
    
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the
    week. It includes pointers to updated packages and descriptions of
    each vulnerability.
    
    This week, advisories were released for mgetty, netscape, nedit,
    zope, sendfile, samba, hylafax, licq, slrn, and sudo.  The vendors
    include Debian, FreeBSD, Mandrake, Progeny, Red Hat, and SuSE. This
    was still a pretty active week.  The samba vulnerability and others
    such as sendfile and sudo are pretty serious.  As always, it is
    important to stay current with all software you choose to implement.
    
    
    EnGarde Linux i386 Now Available! - Guardian Digital, Inc., the Open
    Source security company, has announced immediate availability of
    EnGarde Secure Linux for the i386 platform.
    
    http://www.engardelinux.org/download.html
    
    
    
    
    ** FREE Apache SSL Guide from Thawte Certification  **
    
    Do your online customers demand the best available protection of
    their personal information? Thawte's guide explains how to give
    this to your customers by implementing SSL on your Apache Web
    Server. Click here to get our FREE Thawte Apache Guide:
    
    http://www.thawte.com/ucgi/gothawte.cgi?a=n342707510022000
    
    
    HTML Version of Newsletter:
    http://www.linuxsecurity.com/vuln-newsletter.html
    
    
    +---------------------------------+
    | Installing a new package:       | ------------------------------//
    +---------------------------------+
    
    # rpm -Uvh
    # dpkg -i
    
    Packages can be installed easily by using rpm (Red Hat Package
    Manager) or dpkg (Debian Package Manager). Most advisories
    issued by vendors are packaged in either an rpm or dpkg.
    Additional installation instructions can be found in the body
    of the Advisories.
    
    +---------------------------------+
    | Checking Package Integrity:     | -----------------------------//
    +---------------------------------+
    
    The md5sum command is used to compute a 128-bit fingerprint that is
    strongly dependant upon the contents of the file to which it is
    applied. It can be used to compare against a previously-generated
    sum to determine whether the file has changed. It is commonly used
    to ensure the integrity of updated packages distributed by a vendor.
    
    
    # md5sum
    ebf0d4a0d236453f63a797ea20f0758b
    
    The string of numbers can then be compared against the MD5 checksum
    published by the packager. While it does not take into account the
    possibility that the same person that may have modified a package
    also may have modified the published checksum, it is especially
    useful for establishing a great deal of assurance in the integrity
    of a package before installing
    
    
    
    +---------------------------------+
    |   mgetty                        | ----------------------------//
    +---------------------------------+
    
    Previously-issued mgetty packages did not log messages correctly.
    Previous packages would encounter errors when attempting to spool
    outgoing fax jobs due to an incorrect patch applied to the faxspool
    script.  Log files for vgetty and vm were also not rotated.
    
    
     i386:  Red Hat 7.1
    
     ftp://updates.redhat.com/7.1/en/os/i386/
     mgetty-1.1.25-5.i386.rpm
     8d455745c570e7bce3096e0da79075a9
     ftp://updates.redhat.com/7.1/en/os/i386/
     mgetty-sendfax-1.1.25-5.i386.rpm
     8d455745c570e7bce3096e0da79075a9
    
     ftp://updates.redhat.com/7.1/en/os/i386/
     mgetty-viewfax-1.1.25-5.i386.rpm
     785096824b657ec2021ad2623712dd2e
    
     ftp://updates.redhat.com/7.1/en/os/i386
     /mgetty-voice-1.1.25-5.i386.rpm
     f2b8abb6d467965f48cfa20827130f98
    
     PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS
    
     Red Hat Vendor Advisory:
     http://www.linuxsecurity.com/advisories/redhat_advisory-1321.html
    
    
    
    +---------------------------------+
    |  netscape                       | ----------------------------//
    +---------------------------------+
    
    Florian Wesch has discovered a problem (reported to bugtraq) with the
    way how Netscape handles comments in GIF files.  The Netscape browser
    does not escape the GIF file comment in the image information page.
    This allows javascript execution in the "about:" protocol and can for
    example be used to upload the History (about:global) to a webserver,
    thus leaking private information.  This problem has been fixed
    upstream in Netscape 4.77.
    
     PLEASE SEE VENDOR ADVISORY FOR CORRECT ARCHITECTURE/VERSION
    
     Debian Vendor Advisory:
     http://www.linuxsecurity.com/advisories/debian_advisory-1323.html
    
    
    
    
    +---------------------------------+
    |  nedit                          | ----------------------------//
    +---------------------------------+
    
    The nedit (Nirvana editor) package as shipped in the non-free section
    accompanying Debian GNU/Linux 2.2/potato had a bug in its printing
    code: when printing text it would create a temporary file with the to
    be printed text and pass that on to the print system. The temporary
    file was not created safely, which could be exploited by an attacked
    to make nedit overwrite arbitrary files.
    
     i386: Debian 2.2
    
     http://security.debian.org/dists/stable/updates/non-free/
     binary-i386/nedit_5.02-7.1_i386.deb
     1ad6fee0f55443820817b6a7e702afbf
    
     PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS
    
     Debian Vendor Advisory:
     http://www.linuxsecurity.com/advisories/debian_advisory-1325.html
    
    
    
    
    +---------------------------------+
    |  zope                           | ----------------------------//
    +---------------------------------+
    
    The issue involves the fact that the 'subscript notation' that can be
    used to access items of ObjectManagers (Folders) did not correctly
    restrict return values to only actual sub items.  This made it
    possible to access names that should be private from DTML (objects
    with names beginning with the underscore '_' character).  This could
    allow DTML authors to see private implementation data structures and
    in certain cases possibly call methods that they shouldn't have
    access to from DTML.
    
     i386: Debian 2.2
    
     http://security.debian.org/dists/stable/updates/
     main/binary-i386/zope_2.1.6-9_i386.deb
     ae4f9c9addd2cc22e05ecf2c1da09a14
    
     Debian Vendor Advisory:
     http://www.linuxsecurity.com/advisories/debian_advisory-1324.html
    
    
    
    
    +---------------------------------+
    |   sendfile                      | ----------------------------//
    +---------------------------------+
    
    Colin Phipps and Daniel Kobras discovered and fixed several serious
    bugs in the saft daemon `sendfiled' which caused it to drop
    privileges incorrectly.  Exploiting this a local user can easily make
    it execute arbitrary code under root privileges.
    
    
     i386: Progeny
    
     http://archive.progeny.com/progeny/updates/
     newton/sendfile_2.1-24_i386.deb
     903eef59cc9253d6d732326eafe9c307
    
     Progeny Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1322.html
    
    
    
    
    +---------------------------------+
    |   samba                         | ----------------------------//
    +---------------------------------+
    
    A vulnerability found by Marcus Meissner exists in Samba where it was
    not creating temporary files safely which could allow local users to
    overwrite files that they may not have access to.  This happens when
    a remote user queried a printer queue and samba would create a
    temporary file in which the queue's data was written.  Because Samba
    created the file insecurely and used a predictable filename, a local
    attacker could cause Samba to overwrite files that the attacker did
    not have access to.  As well, the smbclient "more" and "mput"
    commands also created temporary files insecurely.
    
    
     i586: Linux-Mandrake 8.0:
    
     http://www.linux-mandrake.com/en/ftp.php3
    
     8.0/RPMS/samba-2.0.8-1.3mdk.i586.rpm
     ef8d5cd992f07be3878e65c69abb2606
    
     8.0/RPMS/samba-client-2.0.8-1.3mdk.i586.rpm
     1ad7f4f08f48c42b64cf2b8e9937999c
    
     8.0/RPMS/samba-common-2.0.8-1.3mdk.i586.rpm
     5224020f261a0493ff41570b2d42bc79
    
     PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS
    
     Mandrake Vendor Advisory:
     http://www.linuxsecurity.com/advisories/mandrake_advisory-1319.html
    
    
    
     i386 FreeBSD:
    
     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
     packages-4-stable/net/samba-2.0.8.tgz
    
     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
     packages-5-current/net/samba-2.0.8.tgz
    
     PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS
    
     FreeBSD Vendor Advisory:
     http://www.linuxsecurity.com/advisories/freebsd_advisory-1314.html
    
    
    
    
    +---------------------------------+
    |   hylafax                       | ----------------------------//
    +---------------------------------+
    
    
    When hfaxd(8c) tries to change to it's queue directory and fails, it
    prints an error message via syslog by directly passing user supplied
    data as format string. As long as hfaxd(8c) is installed setuid root,
    this behavior could be exploited to gain root access locally.
    
    
     i386: SuSE-7.1:
    
     ftp://ftp.suse.com/pub/suse/i386/update/7.1/
     n3/hylafax-4.1beta2-251.i386.rpm
     a3d5d0d5a8977852b02dc9b7352054aa
    
     PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS
    
     SuSE Vendor Advisory:
     http://www.linuxsecurity.com/advisories/suse_advisory-1311.html
    
    
     i386: FreeBSD:
    
     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
     packages-4-stable/comms/hylafax-4.1.b2_2.tgz
    
     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
     packages-5-current/comms/hylafax-4.1.b2_2.tgz
    
     FreeBSD Vendor Advisory:
     http://www.linuxsecurity.com/advisories/freebsd_advisory-1312.html
    
    
    
    +---------------------------------+
    |   licq                          | ----------------------------//
    +---------------------------------+
    
    The licq port, versions prior to 1.0.3, contains a vulnerability in
    URL parsing.  URLs received by the licq program are passed to the web
    browser using the system() function.  Since licq performs no sanity
    checking, a remote attacker may be able to pipe commands contained in
    the URL causing the client to execute arbitrary commands.
    Additionally, the licq program also contains a buffer overflow in the
    logging functions allowing a remote attacker to cause licq to crash
    and potentially execute arbitbrary code on the local machine as the
    user running licq.
    
    
     i386: FreeBSD:
    
     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
     packages-4-stable/net/licq-1.0.3.tgz
    
     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
     packages-5-current/net/licq-1.0.3.tgz
    
     FreeBSD Vendor Advisory:
     http://www.linuxsecurity.com/advisories/freebsd_advisory-1313.html
    
    
    
    +---------------------------------+
    |  slrn                           | ----------------------------//
    +---------------------------------+
    
    The slrn port, versions prior to slrn-0.9.7.0, contains a buffer
    overflow in the wrapping/unwrapping functions of message header
    parsing.  If a sufficiently long header is parsed, a buffer may
    overflow allowing the execution of arbitrary code contained in a
    message header as the user running the slrn program.
    
     i386 FreeBSD:
    
     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
     packages-4-stable/news/slrn-0.9.7.0.tgz
    
     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
     packages-5-current/news/slrn-0.9.7.0.tgz
    
     FreeBSD Vendor Advisory:
     http://www.linuxsecurity.com/advisories/freebsd_advisory-1315.html
    
    
    
    
    +---------------------------------+
    |   sudo                          | ----------------------------//
    +---------------------------------+
    
    
    The sudo port, versions prior to sudo-1.6.3.7, contains a local
    command-line buffer overflow allowing a local user to potentially
    gain increased privileges on the local system.
    
     i386 FreeBSD:
    
     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
     packages-4-stable/security/sudo-1.6.3.7.tgz
    
     ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
     packages-5-current/security/sudo-1.6.3.7.tgz
    
     FreeBSD Vendor Advisory:
     http://www.linuxsecurity.com/advisories/freebsd_advisory-1316.html
    
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Fri Apr 27 2001 - 02:02:14 PDT