+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| April 27th, 2001 Volume 2, Number 17a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for mgetty, netscape, nedit,
zope, sendfile, samba, hylafax, licq, slrn, and sudo. The vendors
include Debian, FreeBSD, Mandrake, Progeny, Red Hat, and SuSE. This
was still a pretty active week. The samba vulnerability and others
such as sendfile and sudo are pretty serious. As always, it is
important to stay current with all software you choose to implement.
EnGarde Linux i386 Now Available! - Guardian Digital, Inc., the Open
Source security company, has announced immediate availability of
EnGarde Secure Linux for the i386 platform.
http://www.engardelinux.org/download.html
** FREE Apache SSL Guide from Thawte Certification **
Do your online customers demand the best available protection of
their personal information? Thawte's guide explains how to give
this to your customers by implementing SSL on your Apache Web
Server. Click here to get our FREE Thawte Apache Guide:
http://www.thawte.com/ucgi/gothawte.cgi?a=n342707510022000
HTML Version of Newsletter:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| mgetty | ----------------------------//
+---------------------------------+
Previously-issued mgetty packages did not log messages correctly.
Previous packages would encounter errors when attempting to spool
outgoing fax jobs due to an incorrect patch applied to the faxspool
script. Log files for vgetty and vm were also not rotated.
i386: Red Hat 7.1
ftp://updates.redhat.com/7.1/en/os/i386/
mgetty-1.1.25-5.i386.rpm
8d455745c570e7bce3096e0da79075a9
ftp://updates.redhat.com/7.1/en/os/i386/
mgetty-sendfax-1.1.25-5.i386.rpm
8d455745c570e7bce3096e0da79075a9
ftp://updates.redhat.com/7.1/en/os/i386/
mgetty-viewfax-1.1.25-5.i386.rpm
785096824b657ec2021ad2623712dd2e
ftp://updates.redhat.com/7.1/en/os/i386
/mgetty-voice-1.1.25-5.i386.rpm
f2b8abb6d467965f48cfa20827130f98
PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1321.html
+---------------------------------+
| netscape | ----------------------------//
+---------------------------------+
Florian Wesch has discovered a problem (reported to bugtraq) with the
way how Netscape handles comments in GIF files. The Netscape browser
does not escape the GIF file comment in the image information page.
This allows javascript execution in the "about:" protocol and can for
example be used to upload the History (about:global) to a webserver,
thus leaking private information. This problem has been fixed
upstream in Netscape 4.77.
PLEASE SEE VENDOR ADVISORY FOR CORRECT ARCHITECTURE/VERSION
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1323.html
+---------------------------------+
| nedit | ----------------------------//
+---------------------------------+
The nedit (Nirvana editor) package as shipped in the non-free section
accompanying Debian GNU/Linux 2.2/potato had a bug in its printing
code: when printing text it would create a temporary file with the to
be printed text and pass that on to the print system. The temporary
file was not created safely, which could be exploited by an attacked
to make nedit overwrite arbitrary files.
i386: Debian 2.2
http://security.debian.org/dists/stable/updates/non-free/
binary-i386/nedit_5.02-7.1_i386.deb
1ad6fee0f55443820817b6a7e702afbf
PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1325.html
+---------------------------------+
| zope | ----------------------------//
+---------------------------------+
The issue involves the fact that the 'subscript notation' that can be
used to access items of ObjectManagers (Folders) did not correctly
restrict return values to only actual sub items. This made it
possible to access names that should be private from DTML (objects
with names beginning with the underscore '_' character). This could
allow DTML authors to see private implementation data structures and
in certain cases possibly call methods that they shouldn't have
access to from DTML.
i386: Debian 2.2
http://security.debian.org/dists/stable/updates/
main/binary-i386/zope_2.1.6-9_i386.deb
ae4f9c9addd2cc22e05ecf2c1da09a14
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1324.html
+---------------------------------+
| sendfile | ----------------------------//
+---------------------------------+
Colin Phipps and Daniel Kobras discovered and fixed several serious
bugs in the saft daemon `sendfiled' which caused it to drop
privileges incorrectly. Exploiting this a local user can easily make
it execute arbitrary code under root privileges.
i386: Progeny
http://archive.progeny.com/progeny/updates/
newton/sendfile_2.1-24_i386.deb
903eef59cc9253d6d732326eafe9c307
Progeny Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1322.html
+---------------------------------+
| samba | ----------------------------//
+---------------------------------+
A vulnerability found by Marcus Meissner exists in Samba where it was
not creating temporary files safely which could allow local users to
overwrite files that they may not have access to. This happens when
a remote user queried a printer queue and samba would create a
temporary file in which the queue's data was written. Because Samba
created the file insecurely and used a predictable filename, a local
attacker could cause Samba to overwrite files that the attacker did
not have access to. As well, the smbclient "more" and "mput"
commands also created temporary files insecurely.
i586: Linux-Mandrake 8.0:
http://www.linux-mandrake.com/en/ftp.php3
8.0/RPMS/samba-2.0.8-1.3mdk.i586.rpm
ef8d5cd992f07be3878e65c69abb2606
8.0/RPMS/samba-client-2.0.8-1.3mdk.i586.rpm
1ad7f4f08f48c42b64cf2b8e9937999c
8.0/RPMS/samba-common-2.0.8-1.3mdk.i586.rpm
5224020f261a0493ff41570b2d42bc79
PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1319.html
i386 FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-4-stable/net/samba-2.0.8.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/net/samba-2.0.8.tgz
PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1314.html
+---------------------------------+
| hylafax | ----------------------------//
+---------------------------------+
When hfaxd(8c) tries to change to it's queue directory and fails, it
prints an error message via syslog by directly passing user supplied
data as format string. As long as hfaxd(8c) is installed setuid root,
this behavior could be exploited to gain root access locally.
i386: SuSE-7.1:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/
n3/hylafax-4.1beta2-251.i386.rpm
a3d5d0d5a8977852b02dc9b7352054aa
PLEASE SEE ADVISORY FOR OTHER ARCHITECTURES/VERSIONS
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1311.html
i386: FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-4-stable/comms/hylafax-4.1.b2_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/comms/hylafax-4.1.b2_2.tgz
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1312.html
+---------------------------------+
| licq | ----------------------------//
+---------------------------------+
The licq port, versions prior to 1.0.3, contains a vulnerability in
URL parsing. URLs received by the licq program are passed to the web
browser using the system() function. Since licq performs no sanity
checking, a remote attacker may be able to pipe commands contained in
the URL causing the client to execute arbitrary commands.
Additionally, the licq program also contains a buffer overflow in the
logging functions allowing a remote attacker to cause licq to crash
and potentially execute arbitbrary code on the local machine as the
user running licq.
i386: FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-4-stable/net/licq-1.0.3.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/net/licq-1.0.3.tgz
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1313.html
+---------------------------------+
| slrn | ----------------------------//
+---------------------------------+
The slrn port, versions prior to slrn-0.9.7.0, contains a buffer
overflow in the wrapping/unwrapping functions of message header
parsing. If a sufficiently long header is parsed, a buffer may
overflow allowing the execution of arbitrary code contained in a
message header as the user running the slrn program.
i386 FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-4-stable/news/slrn-0.9.7.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/news/slrn-0.9.7.0.tgz
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1315.html
+---------------------------------+
| sudo | ----------------------------//
+---------------------------------+
The sudo port, versions prior to sudo-1.6.3.7, contains a local
command-line buffer overflow allowing a local user to potentially
gain increased privileges on the local system.
i386 FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-4-stable/security/sudo-1.6.3.7.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/security/sudo-1.6.3.7.tgz
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1316.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVat_private with a message body of
"SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Fri Apr 27 2001 - 02:02:14 PDT