+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| January 11th, 2002 Volume 3, Number 2a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for exim, libgtop, mutt, pkg_install,
pw, pine, mod_auth_pgsql, bind, proftpd, LIDS, stunnel, and namazu. The
vendors include Conectiva, Debian, FreeBSD, Mandrake, Red Hat, SuSE, and
Trustix.
** FREE SSL Guide from Thawte - Are you planning your Web Server
Security? Click here to get a FREE Thawte SSL guide and find the
answers to all your SSL security issues.
http://www.gothawte.com/rd175.html
Why be vulnerable? Its your choice. - Are you looking for a solution that
provides the applications necessary to easily create thousands of virtual
Web sites, manage e-mail, DNS, firewalling database functions for an
entire organization, and supports high-speed broadband connections all
using a Web-based front-end? EnGarde Secure Professional provides those
features and more!
Want to learn more?
http://store.guardiandigital.com/html/eng/493-AA.shtml
+---------------------------------+
| exim | ----------------------------//
+---------------------------------+
This problem has been fixed in Exim version 3.12-10.2 for the stable
distribution Debian GNU/Linux 2.2 and 3.33-1.1 for the testing and
unstable distribution. We recommend that you upgrade your exim package.
Debian Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/exim_3.12-10.2_i386.deb
MD5 checksum: d5a2fc41c32504d9982416fbabc53629
http://security.debian.org/dists/stable/updates/main/
binary-i386/eximon_3.12-10.2_i386.deb
MD5 checksum: 02ed4af9505089b21ccbe2d3391c4e51
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1776.html
Red Hat: PLEASE SEE VENDOR ADVISORY
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1792.html
+---------------------------------+
| libgtop | ----------------------------//
+---------------------------------+
The laboratory intexxia found a format string problem in the logging code
from libgtop_daemon. There were two logging functions which are called
when authorizing a client which could be exploited by a remote user.
Debian Intel IA-32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386
/libgtop-daemon_1.0.6-1.1_i386.deb
MD5 checksum: 169c014d0fff9d24045ed733fb26aacc
http://security.debian.org/dists/stable/updates/main/binary-i386/
libgtop-dev_1.0.6-1.1_i386.deb
MD5 checksum: 9ed2aea64be71cf4c4e5dc6274d9c774
http://security.debian.org/dists/stable/updates/main/binary-i386/
libgtop1_1.0.6-1.1_i386.deb
MD5 checksum: 321badb855ed000452f0180a2e557388
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1787.html
Trustix:
http://www.trustix.net/pub/Trustix/updates/
./1.5/RPMS/mutt-1.2.5i.1-1tr.i586.rpm
a0181fdebd24a64cec3ab62949a8cdc4
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1784.html
+---------------------------------+
| pkg_install | ----------------------------//
+---------------------------------+
A local attacker may be able to modify the package contents and
potentially elevate privileges or otherwise compromise the system. There
are no known exploits as of the date of this advisory.
FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:01/
pkg_add.patch
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1778.html
+---------------------------------+
| pw | ----------------------------//
+---------------------------------+
A local attacker can read the temporary file created by pw(8) and use the
encrypted passwords to conduct an off-line dictionary attack. A successful
attack would result in the recovery of one or more passwords. Because the
temporary file is short-lived (it is removed almost immediately after
creation), this can be difficult to exploit: an attacker must `race' to
read the file before it is removed.
FreeBSD:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:02/pw.patch
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1779.html
+---------------------------------+
| mutt | ----------------------------//
+---------------------------------+
An attacker may send an email message with a specially crafted email
address in any of several message headers to the victim. When the victim
reads the message using mutt and encounters that email address, the buffer
overflow is triggered and may result in arbitrary code being executed with
the privileges of the victim.
FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/
mail/mutt-1.2.5_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/
mail/mutt-devel-1.3.24_2.tgz
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1780.html
Updated FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1781.html
Conectiva:
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
mutt-doc-1.3.17-8U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
mutt-help-1.3.17-8U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
mutt-1.3.17-8U70_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1786.html
Red Hat 7.2: i386:
ftp://updates.redhat.com/7.2/en/os/i386/mutt-1.2.5.1-1.i386.rpm
d362ea15a13e305e1e9a360715c55fee
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1790.html
Slackware:
Slackware Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-1788.html
SuSE:
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1785.html
Debian Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/main/
binary-sparc/mutt_1.2.5-5_sparc.deb
MD5 checksum: 8bb33cd0efac0aeb345e87d58188e905
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1777.html
+---------------------------------+
| pine | ----------------------------//
+---------------------------------+
An attacker can supply commands enclosed in single quotes ('') in a URL
embedded in a message sent to the victim. If the user then decides to
view the URL, PINE will launch a command shell which will then execute the
attacker's commands with the victim's privileges. It is possible to
obfuscate the URL so that it will not necessarily seem dangerous to the
victim.
FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/mail/pine-4.43.tgz
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1782.html
FreeBSD Advisory Update:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1797.html
+---------------------------------+
| mod_auth_pgsql | ----------------------------//
+---------------------------------+
A remote user may insert arbitrary SQL code into the username during
authentication, leading to several exploit opportunities. In particular,
the attacker may cause mod_auth_pgsql to use a known fixed password hash
for user verification, allowing him to authenticate as any user and obtain
unauthorized access to web server data.
FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current
/www/mod_auth_pgsql-0.9.9.tgz
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1783.html
+---------------------------------+
| bind | ----------------------------//
+---------------------------------+
There are some insecure permissions on configuration files and executables
with the bind 9.x packages shipped with Mandrake Linux 8.0 and 8.1. This
update provides stricter permissions by making the /etc/rndc.conf and
/etc/rndc.key files read/write by the named user and by making
/sbin/rndc-confgen and /sbin/rndc read/write/executable only by root.
Mandrake Linux 8.0:
http://www.mandrakesecure.net/en/ftp.php
8.0/RPMS/bind-9.1.1-1.1mdk.i586.rpm
a086335b56151269c252428df794e154
8.0/RPMS/bind-devel-9.1.1-1.1mdk.i586.rpm
080d61511f43ecbfc07809221e0e70b7
8.0/RPMS/bind-utils-9.1.1-1.1mdk.i586.rpm
05ba599912dd98bdc328c715c4ebdf81
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1794.html
+---------------------------------+
| proftpd | ----------------------------//
+---------------------------------+
ProFTPD was not forward resolving reverse-resolved hostnames. A remote
attacker could explore this vulnerability[1] to bypass ProFTPD access
control lists or have false information (client hostname) logged. It was
discovered by Matthew S. Hallacy
Conectiva:
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
proftpd-1.2.5rc1-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
proftpd-doc-1.2.5rc1-1U70_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1793.html
+---------------------------------+
| LIDS | ----------------------------//
+---------------------------------+
The use of LD_PRELOAD can make a program with privileges given by LIDS
execute attackers code. This mean that a root intruder can get every
capability or fs access you configured LIDS to grant. Moreover, if you
granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could
deactivate LIDS and thus, access any file.
PLEASE SEE LIDS ADVISORY
LIDS Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1795.html
+---------------------------------+
| stunnel | ----------------------------//
+---------------------------------+
Updated stunnel packages are now available for Red Hat Linux 7.2. These
updates close a format-string vulnerability which is present in some
earlier versions of stunnel.
Red Hat 7.2: i386:
ftp://updates.redhat.com/7.2/en/os/i386/stunnel-3.22-1.i386.rpm
b62a3f6c4418550873602147697213b0
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1791.html
+---------------------------------+
| namazu | ----------------------------//
+---------------------------------+
Namazu is a full-text search engine. Namazu 2.0.9 and earlier may
inadvertently include malicious HTML tags or scripts in a dynamically
generated page, based on unvalidated input from untrustworthy sources.
Also, a buffer overflow vulnerability exists in the buffer size of an
environment variable.
Red Hat 7.0J i386:
ftp://updates.redhat.com/7.0/ja/os/i386
/namazu-2.0.10-0j1.i386.rpm
ftp://updates.redhat.com/7.0/ja/os/i386/
namazu-devel-2.0.10-0j1.i386.rpm
ftp://updates.redhat.com/7.0/ja/os/i386/
namazu-cgi-2.0.10-0j1.i386.rpm
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1796.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.
This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 06:48:14 PST