+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | April 27th, 2001 Volume 2, Number 17a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas daveat_private benat_private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for mgetty, netscape, nedit, zope, sendfile, samba, hylafax, licq, slrn, and sudo. The vendors include Debian, FreeBSD, Mandrake, Progeny, Red Hat, and SuSE. This was still a pretty active week. The samba vulnerability and others such as sendfile and sudo are pretty serious. As always, it is important to stay current with all software you choose to implement. EnGarde Linux i386 Now Available! - Guardian Digital, Inc., the Open Source security company, has announced immediate availability of EnGarde Secure Linux for the i386 platform. http://www.engardelinux.org/download.html ** FREE Apache SSL Guide from Thawte Certification ** Do your online customers demand the best available protection of their personal information? Thawte's guide explains how to give this to your customers by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://www.thawte.com/ucgi/gothawte.cgi?a=n342707510022000 HTML Version of Newsletter: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | mgetty | ----------------------------// +---------------------------------+ Previously-issued mgetty packages did not log messages correctly. Previous packages would encounter errors when attempting to spool outgoing fax jobs due to an incorrect patch applied to the faxspool script. Log files for vgetty and vm were also not rotated. i386: Red Hat 7.1 ftp://updates.redhat.com/7.1/en/os/i386/ mgetty-1.1.25-5.i386.rpm 8d455745c570e7bce3096e0da79075a9 ftp://updates.redhat.com/7.1/en/os/i386/ mgetty-sendfax-1.1.25-5.i386.rpm 8d455745c570e7bce3096e0da79075a9 ftp://updates.redhat.com/7.1/en/os/i386/ mgetty-viewfax-1.1.25-5.i386.rpm 785096824b657ec2021ad2623712dd2e ftp://updates.redhat.com/7.1/en/os/i386 /mgetty-voice-1.1.25-5.i386.rpm f2b8abb6d467965f48cfa20827130f98 PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1321.html +---------------------------------+ | netscape | ----------------------------// +---------------------------------+ Florian Wesch has discovered a problem (reported to bugtraq) with the way how Netscape handles comments in GIF files. The Netscape browser does not escape the GIF file comment in the image information page. This allows javascript execution in the "about:" protocol and can for example be used to upload the History (about:global) to a webserver, thus leaking private information. This problem has been fixed upstream in Netscape 4.77. PLEASE SEE VENDOR ADVISORY FOR CORRECT ARCHITECTURE/VERSION Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1323.html +---------------------------------+ | nedit | ----------------------------// +---------------------------------+ The nedit (Nirvana editor) package as shipped in the non-free section accompanying Debian GNU/Linux 2.2/potato had a bug in its printing code: when printing text it would create a temporary file with the to be printed text and pass that on to the print system. The temporary file was not created safely, which could be exploited by an attacked to make nedit overwrite arbitrary files. i386: Debian 2.2 http://security.debian.org/dists/stable/updates/non-free/ binary-i386/nedit_5.02-7.1_i386.deb 1ad6fee0f55443820817b6a7e702afbf PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1325.html +---------------------------------+ | zope | ----------------------------// +---------------------------------+ The issue involves the fact that the 'subscript notation' that can be used to access items of ObjectManagers (Folders) did not correctly restrict return values to only actual sub items. This made it possible to access names that should be private from DTML (objects with names beginning with the underscore '_' character). This could allow DTML authors to see private implementation data structures and in certain cases possibly call methods that they shouldn't have access to from DTML. i386: Debian 2.2 http://security.debian.org/dists/stable/updates/ main/binary-i386/zope_2.1.6-9_i386.deb ae4f9c9addd2cc22e05ecf2c1da09a14 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1324.html +---------------------------------+ | sendfile | ----------------------------// +---------------------------------+ Colin Phipps and Daniel Kobras discovered and fixed several serious bugs in the saft daemon `sendfiled' which caused it to drop privileges incorrectly. Exploiting this a local user can easily make it execute arbitrary code under root privileges. i386: Progeny http://archive.progeny.com/progeny/updates/ newton/sendfile_2.1-24_i386.deb 903eef59cc9253d6d732326eafe9c307 Progeny Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1322.html +---------------------------------+ | samba | ----------------------------// +---------------------------------+ A vulnerability found by Marcus Meissner exists in Samba where it was not creating temporary files safely which could allow local users to overwrite files that they may not have access to. This happens when a remote user queried a printer queue and samba would create a temporary file in which the queue's data was written. Because Samba created the file insecurely and used a predictable filename, a local attacker could cause Samba to overwrite files that the attacker did not have access to. As well, the smbclient "more" and "mput" commands also created temporary files insecurely. i586: Linux-Mandrake 8.0: http://www.linux-mandrake.com/en/ftp.php3 8.0/RPMS/samba-2.0.8-1.3mdk.i586.rpm ef8d5cd992f07be3878e65c69abb2606 8.0/RPMS/samba-client-2.0.8-1.3mdk.i586.rpm 1ad7f4f08f48c42b64cf2b8e9937999c 8.0/RPMS/samba-common-2.0.8-1.3mdk.i586.rpm 5224020f261a0493ff41570b2d42bc79 PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1319.html i386 FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-4-stable/net/samba-2.0.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/net/samba-2.0.8.tgz PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1314.html +---------------------------------+ | hylafax | ----------------------------// +---------------------------------+ When hfaxd(8c) tries to change to it's queue directory and fails, it prints an error message via syslog by directly passing user supplied data as format string. As long as hfaxd(8c) is installed setuid root, this behavior could be exploited to gain root access locally. i386: SuSE-7.1: ftp://ftp.suse.com/pub/suse/i386/update/7.1/ n3/hylafax-4.1beta2-251.i386.rpm a3d5d0d5a8977852b02dc9b7352054aa PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1311.html i386: FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-4-stable/comms/hylafax-4.1.b2_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/comms/hylafax-4.1.b2_2.tgz FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1312.html +---------------------------------+ | licq | ----------------------------// +---------------------------------+ The licq port, versions prior to 1.0.3, contains a vulnerability in URL parsing. URLs received by the licq program are passed to the web browser using the system() function. Since licq performs no sanity checking, a remote attacker may be able to pipe commands contained in the URL causing the client to execute arbitrary commands. Additionally, the licq program also contains a buffer overflow in the logging functions allowing a remote attacker to cause licq to crash and potentially execute arbitbrary code on the local machine as the user running licq. i386: FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-4-stable/net/licq-1.0.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/net/licq-1.0.3.tgz FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1313.html +---------------------------------+ | slrn | ----------------------------// +---------------------------------+ The slrn port, versions prior to slrn-0.9.7.0, contains a buffer overflow in the wrapping/unwrapping functions of message header parsing. If a sufficiently long header is parsed, a buffer may overflow allowing the execution of arbitrary code contained in a message header as the user running the slrn program. i386 FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-4-stable/news/slrn-0.9.7.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/news/slrn-0.9.7.0.tgz FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1315.html +---------------------------------+ | sudo | ----------------------------// +---------------------------------+ The sudo port, versions prior to sudo-1.6.3.7, contains a local command-line buffer overflow allowing a local user to potentially gain increased privileges on the local system. i386 FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-4-stable/security/sudo-1.6.3.7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/security/sudo-1.6.3.7.tgz FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1316.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-requestat_private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERVat_private with a message body of "SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Fri Apr 27 2001 - 02:02:14 PDT