+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| October 19th, 2001 Volume 2, Number 42a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlinesthe
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for w3m, xvt, procmail, zope, openssh,
openssl, until-linux, htdig, kernel, and apache. The vendors include
Conectiva, Debian, Mandrake, Red Hat, and Trustix.
** FREE Apache SSL Guide from Thawte **
Planning Web Server Security? Find out how to implement SSL! Get the free
Thawte Apache SSL Guide and find the answers to all your Apache SSL
security issues and more at:
http://www.gothawte.com/rd90.html
Have you tried EnGarde Secure Linux? The EnGarde Linux distribution was
designed from the ground up as a secure solution, starting with the
principle of least privilege, and carrying it through every aspect of its
implementation.http://www.engardelinux.org
Take advantage of our Linux Security discussion list! This mailing list
is for general security-related questions and comments. To subscribe send
an e-mail to security-discuss-requestat_private with "subscribe"
as the subject.
+---------------------------------+
| w3m | ----------------------------//
+---------------------------------+
In SNS Advisory No. 32 a buffer overflow vulnerability has been reported
in the routine which parses MIME headers that are returned from web
servers. A malicious web server administrator could exploit this and let
the client web browser execute arbitrary code. W3m handles MIME headers
included in the request/response message of HTTP communication like any
other we bbrowser. A buffer overflow will be occur when w3m receives a
MIME encoded header with base64 format
Debian Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386
/w3m_0.1.10+0.1.11pre+kokb23-4_i386.deb
MD5 checksum: 7b811019f0f246338cbf438952358b54
http://security.debian.org/dists/stable/updates/main/binary-i386/
w3m-ssl_0.1.10+0.1.11pre+kokb23-4_i386.deb
MD5 checksum: 07c9aa2738a22e4984c290657c71b79d
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1646.html
+---------------------------------+
| xvt | ----------------------------//
+---------------------------------+
Christophe Bailleux reported on bugtraq that Xvt is vulnerable to a buffer
overflow in its argument handling. Since Xvt is installed setuid root, it
was possible for a normal user to pass carefully-crafted arguments to xvt
so that xvt executed a root shell
Debian Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/
xvt_2.1-13.0potato.1_i386.deb
MD5 checksum: 3fe8465dac109969c871f264d847d467
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1647.html
+---------------------------------+
| procmail | ----------------------------//
+---------------------------------+
Using older versions of procmail it was possible to make procmail crash by
sending it signals. On systems where procmail is installed setuid this
could be exploited to obtain unauthorized privileges.
Debian Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/
procmail_3.15.2-1_i386.deb
MD5 checksum: d7245b21110faf119e77705eaf724218
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1648.html
+---------------------------------+
| zope | ----------------------------//
+---------------------------------+
"The issue involves the fmt attribute of dtml-var tags. Without this
correction, Zope does not check security access to methods invoked through
fmt. This issue could allow partially trusted users with enough knowledge
of Zope to call, in a limited way, methods they would not otherwise be
allowed to access."
Mandrake: i386
PLEASE SEE VENDOR FOR UPDATE
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1636.html
+---------------------------------+
| openssh | ----------------------------//
+---------------------------------+
In some circumstances, the sshd server may not honor the "from=" option
that can be associated with a key in a user's ~/.ssh/authorized_keys2 file
if multiple keys are listed. This could allow key-based logins from hosts
which should not be allowed access.
Mandrake: i386
PLEASE SEE VENDOR FOR UPDATE
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1637.html
Trustix:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1641.html
Immunix:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Immunix: Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1654.html
+---------------------------------+
| openssl | ----------------------------//
+---------------------------------+
If a user lists multiple keys in her .ssh/authorized_keys2 file, sshd may
in some circumstances not honor the "from" option which can be associated
with a key, thereby allowing key-based logins from hosts which should not
be allowed access.
Red Hat: i386
PLEASE SEE VENDOR ADVISORY
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1638.html
+---------------------------------+
| until-linux | ----------------------------//
+---------------------------------+
A problem existed in /bin/login's PAM implementation; it stored the value
of a static pwent buffer across PAM calls; when used with some PAM modules
in non-default configuration (such as pam_limits), it would overwrite the
buffer, causing a user to get credentials of another user.
Red Hat: i386
ftp://updates.redhat.com/7.1/en/os/i386/
util-linux-2.11f-11.7.1.i386.rpm
2bf1db1cadc50f783220f70aa2b7a09c
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1638.html
Trustix: i386
http://www.trustix.net/pub/Trustix/updates/
./1.5/RPMS/util-linux-2.11f-6tr.i586.rpm
d96660d42ee2901c18577e26616cabdf
./1.5/RPMS/mount-2.11f-6tr.i586.rpm
4a7a357bf1ad7e7999a39c508326b155
./1.5/RPMS/losetup-2.11f-6tr.i586.rpm
94dc41a4acf854f7bfff2276393ccd04
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1642.html
+---------------------------------+
| htdig | ----------------------------//
+---------------------------------+
A malicious user could point htsearch to a file like `/dev/zero' and let
the server run in an endless loop, trying to read config parameters. If
the user has write permission on the server he can point the program to it
and retrive any file readable by the webserver user id.
Mandrake Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/
htdig_3.1.5-2.0potato.1_i386.deb
MD5 checksum: 77befd19641a294cb0a47b72aa15e91c
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1640.html
+---------------------------------+
| kernel | ----------------------------//
+---------------------------------+
There are two bugs present in Linux kernels 2.2.x, x<=19 and 2.4.y, y<=9.
The first vulnerability results in local DoS. The second one, involving
ptrace, can be used to gain root privileges locally (in case of default
install of most popular distributions). Linux 2.0.x is not vulnerable to
the ptrace bug mentioned.
Kernel Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1643.html
Openwall Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1644.html
EnGarde:
PLEASE SEE VENDOR ADVISORY
EnGarde Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1650.html
Caldera:
PLEASE SEE VENDOR ADVISORY
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1652.html
Trustix:
PLEASE SEE VENDOR ADVISORY
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1653.html
+---------------------------------+
| apache | ----------------------------//
+---------------------------------+
A intentionally malformed Host: header could allow any file with a .log
extention to be overwritten due to a problem in the split-logfile script.
Conectiva Linux does not ship split-logfile, but users who may have
installed this script manually are thus advised to check their systems for
this vulnerability. [1] When Multiviews are used to negotiate the
directory index, under certain conditions a request for the URI /?M=D
could return a directory listing rather than negotiated content. [2] [3]
Conectiva:
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/
apache-1.3.22-U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
apache-1.3.22-U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
apache-devel-1.3.22-U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/a
pache-doc-1.3.22-U70_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1645.html
EnGarde:
i386/apache-1.3.22-1.0.26.i386.rpm
MD5 Sum: 96572199eee00807d35b8c78d1fcc011
i686/apache-1.3.22-1.0.26.i686.rpm
MD5 Sum: 17a01bce42ad8d34ec4e87ef2949fc90
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
EnGarde Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1649.html
+---------------------------------+
| xinetd | ----------------------------//
+---------------------------------+
Solar Designer did an audit of xinetd 2.3.0 and came up with a list of
potential vulnerabilities. This release fixes all known vulnerabilities
as a precautionary measure. Most of these fixes are in the interest of
robustness and are not known to be exploitable at this time.
EnGarde:
i386/xinetd-2.3.3-1.0.19.i386.rpm
MD5 Sum: 41c24df4e59ae3e3e6a6fe5db4d1f64d
i686/xinetd-2.3.3-1.0.19.i686.rpm
MD5 Sum: 76df066a15dbc80456203bb4e945eaa0
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
EnGarde Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1651.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.
This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 03:12:43 PDT