+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| August 24th, 2001 Volume 2, Number 34a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for fetchmail, groff, ucd-snmp, ipfw,
sdb, gdm, telnetd, procfd, openssl prng, dump, sendmail, and tcp wrappers.
The vendors include Caldera, Conectiva, FreeBSD, Mandrake, NetBSD,
Progeny, and SuSE.
Maximize your security with EnGarde! EnGarde was designed from the ground
up as a secure solution, starting with the principle of least privilege,
and carrying it through every aspect of its implementation.
http://www.engardelinux.org
Take advantage of our Linux Security discussion list! This mailing list
is for general security-related questions and comments. To subscribe send
an e-mail to security-discuss-requestat_private with "subscribe"
as the subject.
HTML Version:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| fetchmail | ----------------------------//
+---------------------------------+
Fetchmail is a tool for retrieving and forwarding mail. Two
vulnerabilities in the code of fetchmail were found in the last weeks.
i386 Intel Platform: SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/
fetchmail-5.8.0-48.i386.rpm
995660f54f997eb33120c6dcdab5ca73
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1556.html
+---------------------------------+
| groff | ----------------------------//
+---------------------------------+
groff, the GNU version of troff, has the potential of a remotely
exploitable vulnerability in Progeny versions prior to 1.17.2-6 if being
used with certain configurations of lpd.
i385: Progeny
http://archive.progeny.com/progeny/updates/newton/
groff-base_1.17.2-6_i386.deb
534cc0161fef71e64747938be33bf782
groff_1.17.2-6_i386.deb
277aba2ede78bc5b5035df566aacbb07
groff-x11_1.17.2-6_i386.deb
674fb9f76dce60c0c8cd3604d4f092be
Progeny Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1558.html
+---------------------------------+
| ucd-snmp | ----------------------------//
+---------------------------------+
In a routine security audit of the ucd-snmp package we have found several
problems, including several potentially exploitable buffer overflows,
format string bugs, signedness issues and tempfile race conditions. Some
of these might allow remote attackers to gain access to the UID under
which snmpd is running. This update fixes all known problems and also
makes the snmpd run as user 'nobody', reducing the impact of further
problems.
i386: Caldera
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS
RPMS/ucd-snmp-4.2.1-6b.i386.rpm
cb200e856acac6bd14fec9eb67eabb14
RPMS/ucd-snmp-devel-4.2.1-6b.i386.rpm
0c8f8963ce490f80a47681996e9370ab
RPMS/ucd-snmp-utils-4.2.1-6b.i386.rpm
d584b6cd0b799b4b928dadce9f2ec058
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1559.html
+---------------------------------+
| ipfw | ----------------------------//
+---------------------------------+
ipfw is a system facility which allows IP packet filtering, redirecting,
and traffic accounting. ipfw `me' rules are filter rules that specify a
source or destination address of `me', intended to match any IP address
configured on a local interface.
FreeBSD:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/
SA-01:53/ipfw.patch
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1560.html
+---------------------------------+
| sdb | ----------------------------//
+---------------------------------+
Sdbsearch.cgi is Perl script which is part of the sdb package of SuSE
Linux was found vulnerable by using untrustworthy client input
(HTTP_REFERER). By exploiting this trust an attacker could force the
sdbsearch.cgi script to open a malicious keylist file which includes
keywords and filenames.
i386 Intel Platform: SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/doc1/
sdb-2001.5.15-6.noarch.rpm
4230c06f2e703753e79ee0e50339567b
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1561.html
+---------------------------------+
| gdm | ----------------------------//
+---------------------------------+
A buffer overrun exists in the XDMCP handling code used in gdm. By
sending a properly crafted XDMCP message, it is possible for a remote
attacker to execute arbitrary commands as root on the susceptible machine.
By default, XDMCP is disabled in gdm.conf on Mandrake Linux.
Mandrake Linux 8.0:
8.0/RPMS/gdm-2.2.3.2-2.1mdk.i586.rpm
41c178fc24d9acb2ead1438e837f0325
http://www.linux-mandrake.com/en/ftp.php3
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1562.html
+---------------------------------+
| telnetd | ----------------------------//
+---------------------------------+
Due to incorrect bounds checking of data buffered for output to the remote
client, an attacker can cause the telnetd process to overflow the buffer
and crash, or execute arbitrary code as the user running telnetd, usually
root. A valid user account and password is not required to exploit this
vulnerability, only the ability to connect to a telnetd server.
PLEASE SEE VENDOR ADVISORY
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1563.html
+---------------------------------+
| procfs | ----------------------------//
+---------------------------------+
Attackers may be able to extract sensitive system information, such as
password hashes from the /etc/master.passwd file, from setuid or setgid
processes, such as su(1). This information could be used by attackers to
escalate their privileges, possibly yielding root privileges on the local
system.
FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/
SA-01:55/procfs.patch
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1564.html
+---------------------------------+
| openssl prng | ----------------------------//
+---------------------------------+
The OpenSSL libcrypto includes a PRNG (pseudo random number generator)
implementation. The logic used for PRNG was not strong enough, and allows
attackers to guess the internal state of the PRNG. Therefore, attackers
can predict future PRNG output.
NetBSD:
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/
SA2001-013-openssl-1.5.patch
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-1565.html
+---------------------------------+
| dump | ----------------------------//
+---------------------------------+
The dump(8) command (installed as /sbin/dump) and the dump_lfs(8) command
(installed as /sbin/dump_lfs) are setgid tty. dump(8) and dump_lfs(8) did
not drop those setgid tty rights while performing functions other than
those the rights were provided for, including execution of a user supplied
RCMD_CMD environment variable.
NetBSD:
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/
SA2001-014-dump-1.5.patch
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-1566.html
+---------------------------------+
| sendmail | ----------------------------//
+---------------------------------+
Cade Cairns from Security Focus discovered an input validation error in
sendmail's debugging functionality. The function that handles the "-d"
command line option uses a signed integer for that value and uses it as an
index to an internal vector. This function does not check for negative
values of this index, which allows a local attacker to cause a signed
integer overflow by supplying large numbers to this parameter which can be
used to write data outside that vector.
PLEASE SEE VENDOR ADVISORY
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1567.html
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1568.html
+---------------------------------+
| tcp wrappers | ----------------------------//
+---------------------------------+
An attacker that can influence the results of reverse DNS lookups can
bypass certain tcp_wrappers PARANOID ACL restrictions by impersonating a
trusted host. Such an attacker would need to be able to spoof reverse DNS
lookups, or more simply the attacker may be the administrator of the DNS
zone including the IP address of the remote host.
FreeBSD:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/
SA-01:56/tcp_wrappers.patch
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1569.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.
This archive was generated by hypermail 2b30 : Sun Aug 26 2001 - 08:42:14 PDT