[ISN] Linux Advisory Watch - October 19th, 2001

From: InfoSec News (isnat_private)
Date: Mon Oct 22 2001 - 01:21:03 PDT

  • Next message: InfoSec News: "[ISN] Pennsylvania strengthens cybersecurity"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  October 19th, 2001                       Volume 2, Number 42a |
    +----------------------------------------------------------------+
     
      Editors:     Dave Wreski                Benjamin Thomas
                   daveat_private     benat_private
     
     
    Linux Advisory Watch is a comprehensive newsletter that outlinesthe
    security vulnerabilities that have been announced throughout the week.It
    includes pointers to updated packages and descriptions of each
    vulnerability.
     
    This week, advisories were released for w3m, xvt, procmail, zope, openssh,
    openssl, until-linux, htdig, kernel, and apache.  The vendors include
    Conectiva, Debian, Mandrake, Red Hat, and Trustix.
    
    ** FREE Apache SSL Guide from Thawte **
     
    Planning Web Server Security? Find out how to implement SSL!  Get the free
    Thawte Apache SSL Guide and find the answers to all your Apache SSL
    security issues and more at:
     
    http://www.gothawte.com/rd90.html 
     
     
    Have you tried EnGarde Secure Linux?  The EnGarde Linux distribution was
    designed from the ground up as a secure solution, starting with the
    principle of least privilege, and carrying it through every aspect of its
    implementation.http://www.engardelinux.org
    
    Take advantage of our Linux Security discussion list!  This mailing list
    is for general security-related questions and comments. To subscribe send
    an e-mail to security-discuss-requestat_private with "subscribe"
    as the subject.
    
    
    +---------------------------------+
    |  w3m                            | ----------------------------//
    +---------------------------------+
    
    In SNS Advisory No. 32 a buffer overflow vulnerability has been reported
    in the routine which parses MIME headers that are returned from web
    servers.  A malicious web server administrator could exploit this and let
    the client web browser execute arbitrary code. W3m handles MIME headers
    included in the request/response message of HTTP communication like any
    other we bbrowser.  A buffer overflow will be occur when w3m receives a
    MIME encoded header with base64 format
    
     Debian Intel ia32 architecture: 
     http://security.debian.org/dists/stable/updates/main/binary-i386 
     /w3m_0.1.10+0.1.11pre+kokb23-4_i386.deb 
     MD5 checksum: 7b811019f0f246338cbf438952358b54 
    
     http://security.debian.org/dists/stable/updates/main/binary-i386/ 
     w3m-ssl_0.1.10+0.1.11pre+kokb23-4_i386.deb 
     MD5 checksum: 07c9aa2738a22e4984c290657c71b79d  
    
     Debian Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/debian_advisory-1646.html 
      
      
    
    
    +---------------------------------+
    |  xvt                            | ----------------------------//
    +---------------------------------+
    
    Christophe Bailleux reported on bugtraq that Xvt is vulnerable to a buffer
    overflow in its argument handling.  Since Xvt is installed setuid root, it
    was possible for a normal user to pass carefully-crafted arguments to xvt
    so that xvt executed a root shell
    
    
     Debian Intel ia32 architecture: 
     http://security.debian.org/dists/stable/updates/main/binary-i386/ 
     xvt_2.1-13.0potato.1_i386.deb 
     MD5 checksum: 3fe8465dac109969c871f264d847d467 
    
     Debian Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/debian_advisory-1647.html
    
    
      
    +---------------------------------+
    |  procmail                       | ----------------------------//
    +---------------------------------+
    
    Using older versions of procmail it was possible to make procmail crash by
    sending it signals.  On systems where procmail is installed setuid this
    could be exploited to obtain unauthorized privileges.
    
     Debian Intel ia32 architecture: 
     http://security.debian.org/dists/stable/updates/main/binary-i386/ 
     procmail_3.15.2-1_i386.deb 
     MD5 checksum: d7245b21110faf119e77705eaf724218 
    
     Debian Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/debian_advisory-1648.html
    
    
      
    
    +---------------------------------+
    |  zope                           | ----------------------------//
    +---------------------------------+
    
    "The issue involves the fmt attribute of dtml-var tags.  Without this
    correction, Zope does not check security access to methods invoked through
    fmt.  This issue could allow partially trusted users with enough knowledge
    of Zope to call, in a limited way, methods they would not otherwise be
    allowed to access."
    
     Mandrake: i386 
     PLEASE SEE VENDOR FOR UPDATE 
    
     Mandrake Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/mandrake_advisory-1636.html
    
    
    
    
    +---------------------------------+
    |  openssh                        | ----------------------------//
    +---------------------------------+
    
    In some circumstances, the sshd server may not honor the "from=" option
    that can be associated with a key in a user's ~/.ssh/authorized_keys2 file
    if multiple keys are listed.  This could allow key-based logins from hosts
    which should not be allowed access.
    
    
     Mandrake: i386 
     PLEASE SEE VENDOR FOR UPDATE 
    
     Mandrake Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/mandrake_advisory-1637.html 
    
    
     Trustix:
     PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
     Trustix Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-1641.html 
      
      
     Immunix:
     PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
     Immunix: Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1654.html
    
    
    
    +---------------------------------+
    |  openssl                        | ----------------------------//
    +---------------------------------+
    
    If a user lists multiple keys in her .ssh/authorized_keys2 file, sshd may
    in some circumstances not honor the "from" option which can be associated
    with a key, thereby allowing key-based logins from hosts which should not
    be allowed access.
    
     Red Hat: i386 
     PLEASE SEE VENDOR ADVISORY 
    
     Red Hat Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/redhat_advisory-1638.html
    
    
      
    
    +---------------------------------+
    |  until-linux                    | ----------------------------//
    +---------------------------------+
    
    A problem existed in /bin/login's PAM implementation; it stored the value
    of a static pwent buffer across PAM calls; when used with some PAM modules
    in non-default configuration (such as pam_limits), it would overwrite the
    buffer, causing a user to get credentials of another user.
    
     Red Hat: i386 
     ftp://updates.redhat.com/7.1/en/os/i386/ 
     util-linux-2.11f-11.7.1.i386.rpm 
     2bf1db1cadc50f783220f70aa2b7a09c 
    
     Red Hat Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/redhat_advisory-1638.html 
      
    
     Trustix: i386 
     http://www.trustix.net/pub/Trustix/updates/ 
    
     ./1.5/RPMS/util-linux-2.11f-6tr.i586.rpm 
     d96660d42ee2901c18577e26616cabdf 
    
     ./1.5/RPMS/mount-2.11f-6tr.i586.rpm 
     4a7a357bf1ad7e7999a39c508326b155 
    
     ./1.5/RPMS/losetup-2.11f-6tr.i586.rpm 
     94dc41a4acf854f7bfff2276393ccd04 
    
     Trustix Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-1642.html
    
    
      
    
    +---------------------------------+
    |  htdig                          | ----------------------------//
    +---------------------------------+
    
    A malicious user could point htsearch to a file like `/dev/zero' and let
    the server run in an endless loop, trying to read config parameters.  If
    the user has write permission on the server he can point the program to it
    and retrive any file readable by the webserver user id.
      
    
     Mandrake Intel ia32 architecture: 
     http://security.debian.org/dists/stable/updates/main/binary-i386/ 
     htdig_3.1.5-2.0potato.1_i386.deb 
     MD5 checksum: 77befd19641a294cb0a47b72aa15e91c  
    
     Mandrake Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/debian_advisory-1640.html 
    
    
      
    +---------------------------------+
    |  kernel                         | ----------------------------//
    +---------------------------------+
    
    There are two bugs present in Linux kernels 2.2.x, x<=19 and 2.4.y, y<=9.
    The first vulnerability results in local DoS. The second one, involving
    ptrace, can be used to gain root privileges locally (in case of default
    install of most popular distributions). Linux 2.0.x is not vulnerable to
    the ptrace bug mentioned.
    
     Kernel Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-1643.html 
    
     Openwall Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-1644.html
    
     EnGarde:
     PLEASE SEE VENDOR ADVISORY
    
     EnGarde Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1650.html
    
    
     Caldera:
     PLEASE SEE VENDOR ADVISORY
    
     Caldera Vendor Advisory:
     http://www.linuxsecurity.com/advisories/caldera_advisory-1652.html
    
    
     Trustix:
     PLEASE SEE VENDOR ADVISORY
    
     Trustix Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1653.html
    
    
    
    
    +---------------------------------+
    |  apache                         | ----------------------------//
    +---------------------------------+
    
    A intentionally malformed Host: header could allow any file with a .log
    extention to be overwritten due to a problem in the split-logfile script.
    Conectiva Linux does not ship split-logfile, but users who may have
    installed this script manually are thus advised to check their systems for
    this vulnerability. [1] When Multiviews are used to negotiate the
    directory index, under certain conditions a request for the URI /?M=D
    could return a directory listing rather than negotiated content. [2] [3]
    
     Conectiva: 
     ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/ 
     apache-1.3.22-U70_1cl.src.rpm 
     ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ 
     apache-1.3.22-U70_1cl.i386.rpm 
    
     ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ 
     apache-devel-1.3.22-U70_1cl.i386.rpm 
    
     ftp://atualizacoes.conectiva.com.br/7.0/RPMS/a 
     pache-doc-1.3.22-U70_1cl.i386.rpm 
    
     Conectiva Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-1645.html
    
    
     EnGarde:
     i386/apache-1.3.22-1.0.26.i386.rpm
     MD5 Sum:  96572199eee00807d35b8c78d1fcc011
    
     i686/apache-1.3.22-1.0.26.i686.rpm
     MD5 Sum:  17a01bce42ad8d34ec4e87ef2949fc90
    
    
     ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    
     EnGarde Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1649.html     
    
    
    
    
    +---------------------------------+
    |  xinetd                         | ----------------------------//
    +---------------------------------+
    
    Solar Designer did an audit of xinetd 2.3.0 and came up with a list of
    potential vulnerabilities.  This release fixes all known vulnerabilities
    as a precautionary measure.  Most of these fixes are in the interest of
    robustness and are not known to be exploitable at this time.
    
    
     EnGarde:
     i386/xinetd-2.3.3-1.0.19.i386.rpm
     MD5 Sum:  41c24df4e59ae3e3e6a6fe5db4d1f64d
    
     i686/xinetd-2.3.3-1.0.19.i686.rpm
     MD5 Sum:  76df066a15dbc80456203bb4e945eaa0
    
    
     ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ 
    
     EnGarde Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1651.html
         
    
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 03:12:43 PDT