+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| October 12th, 2001 Volume 2, Number 41a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlinesthe
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for slrn, most, uucp, squid, Mandrake
8.1 kernel, sendmail, lprold, and zope. The Vendors include Caldera,
FreeBSD, Mandrake, Progeny, Red Hat, and SuSE.
Lock down your network! The EnGarde Linux distribution was designed from
the ground up as a secure solution, starting with the principle of least
privilege, and carrying it through every aspect of its
implementation.http://www.engardelinux.org
Take advantage of our Linux Security discussion list! This mailing list
is for general security-related questions and comments.
To subscribe send an e-mail to:
security-discuss-requestat_private
The EnGarde distribution was designed from the ground up as a secure
solution, starting with the principle of least privilege, and carrying it
through every aspect of its implementation.
* http://www.engardelinux.org
+---------------------------------+
| slrn | ----------------------------//
+---------------------------------+
The slrn package, a threaded news reader, is susceptible to remote command
invocation in Progeny versions prior to 0.9.6.2-9potato2.
Progeny: i386
http://archive.progeny.com/progeny/updates/newton/
5efc319eb969c761dda2a26bfaf87110
slrn_0.9.6.2-9potato2_i386.deb
1b72b7ac4a8c495cc9c74b2f7b52e471
slrnpull_0.9.6.2-9potato2_i386.deb
Progeny Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1625.html
+---------------------------------+
| most | ----------------------------//
+---------------------------------+
Pavel Machek found a buffer overflow in the "most" pager program. The
problem is part of most's tab expansion where the program would write
beyond the bounds two array variables when viewing a malicious file.
This could lead into other data structures being overwritten, which in
turn could enable "most" to execute arbitrary code being able to
compromise the user's environment.
Progeny: i386
http://archive.progeny.com/progeny/updates/newton/
most_4.9.2-1progeny1_i386.deb
8e26b5b97cf2654bbfd2027afdd25e88
Progeny Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1626.html
+---------------------------------+
| uucp | ----------------------------//
+---------------------------------+
zen-parse found a problem with Taylor UUCP as distributed with many Linux
distributions. Due to incorrect argument handling in a component of the
Taylor UUCP package, it is possible for local users to gain uid/gid uucp.
Progeny: i386
http://archive.progeny.com/progeny/updates/newton/
7f474134296bfeb6d03579f16843bd82
uucp_1.06.1-11potato1progeny2_i386.deb
Progeny Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1627.html
FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/
patches/SA-01:62/uucp.patch
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1629.html
+---------------------------------+
| squid | ----------------------------//
+---------------------------------+
A remote attacker may use the squid server in order to issue requests to
hosts that are otherwise inaccessible. Because the squid server processes
these requests as HTTP requests, the attacker cannot send or retrieve
arbitrary data. However, the attacker could use squid's response to
determine if a particular port is open on a victim host. Therefore, the
squid server may be used to conduct a port scan.
FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/www/squid-2.3_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/www/squid-2.4_5.tgz
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1628.html
+---------------------------------+
| Kernel: Mandrake 8.1 | ----------------------------//
+---------------------------------+
Alexander Viro discovered a vulnerability in the devfs implementation that
is shipped with Mandrake Linux 8.1. We are aware of the problem and are
currently working on a solution. As a workaround, until an update becomes
available, please boot with the devfs=nomount option.
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1630.html
+---------------------------------+
| htdig | ----------------------------//
+---------------------------------+
The htsearch CGI runs as both the CGI and as a command-line program. The
command-line program accepts the -c [filename] to read in an alternate
configuration file. On the other hand, no filtering is done to stop the
CGI program from taking command-line arguments, so a remote user can force
the CGI to stall until it times out (resulting in a DOS) or read in a
different configuration file.
PLEASE SEE VENDOR ADVISORY
htdig Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1631.html
Caldera: i386
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/
Server/current/RPMS
33b12c381170e69267ffff170b5e7cdc
RPMS/htdig-3.1.5-8.i386.rpm
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1632.html
+---------------------------------+
| sendmail | ----------------------------//
+---------------------------------+
There is a permission problem in the default setup of sendmail in all
OpenLinux versions, which allows a local attacker to cause a denial of
service attack effectively stopping delivery of all mails from the current
system.
Caldera:
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1633.html
+---------------------------------+
| prold | ----------------------------//
+---------------------------------+
ISS X-Force reported an overflow in BSD's lineprinter daemon shipped with
the lprold package in SuSE Linux. Due to missing bounds checks in the
lockfile processing function, internal buffers may overflow. Bounds checks
have been added to fix that problem. Additionally the SuSE Security Team
uncovered other security releated bugs in lpd while analyzing lpd source
after receiving the X-Force advisory.
These bugs allows users on machines listed in /etc/hosts.lpd or
/etc/hosts.equiv to chown any file on the system running lpd to any user.
In order to trigger any of the fixed bugs (including the overflow) the
attackers machine must be listed in one of these two access-files and the
attacker usually needs root on these machines due to the privileged-port
requirement.
i386 Intel Platform: SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/l
prold-3.0.48-272.i386.rpm
23b8251411a557563cb314102f405d31
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1634.html
+---------------------------------+
| zope | ----------------------------//
+---------------------------------+
The updated packages include a "hotfix" product which addresses a security
problem with DTML scripting, as described in the Hotfix_2001-09-28
README.txt file: "The issue involves the fmt attribute of dtml-var tags.
Without this correction, Zope does not check security access to methods
invoked through fmt. This issue could allow partially trusted users with
enough knowledge of Zope to call, in a limited way, methods they would not
otherwise be allowed to access."
Red Hat:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1635.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.
This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 15:36:24 PDT