+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| March 8th, 2002 Volume 3, Number 10a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for php, cfs, cvs, xsane, openssh,
apache, ntop, squid, and radiud-cistron. The vendors include Conectiva,
Debian, EnGarde, FreeBSD, Red Hat, Slackware, SuSE, and Yellow Dog.
Security and Simplicity - Are you looking for a solution that provides the
applications necessary to easily create thousands of virtual Web sites,
manage e-mail, DNS, firewalling database functions for an entire
organization, and supports high-speed broadband connections all using a
Web-based front-end? EnGarde Secure Professional provides those features
and more!
http://store.guardiandigital.com/html/eng/493-AA.shtml
FEATURE: Fingerprinting Web Server Attacks - In this article, zenomorph
discusses multiple ways attackers attempt to exploit port 80 to gain
control of a web server. Using this information, an administrator can
learn to detect potential attacks and steps that are necessary to protect
a server from them.
http://www.linuxsecurity.com/feature_stories/fingerprinting-http.html
FEATURE: Linux 802.11b and wireless (in)security - In this article,
Michael talks about Linux and background on wireless security, utilities
to interrogate wireless networks, and the top tips you should know to
improve wireless security of your network.
http://www.linuxsecurity.com/feature_stories/wireless-kismet.html
+---------------------------------+
| php | ----------------------------//
+---------------------------------+
Stefan Esser, who is also a member of the PHP team, found several flaws in
the way PHP handles multipart/form-data POST requests (as described in
RFC1867) known as POST fileuploads. Each of the flaws could allow an
attacker to execute arbitrary code on the victim's system. For PHP3 flaws
contain a broken boundary check and an arbitrary heap overflow. For PHP4
they consist of a broken boundary check and a heap off by one error.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1925.html
Yellow Dog Linux Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1934.html
Slackware Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-1927.html
+---------------------------------+
| cfs | ----------------------------//
+---------------------------------+
Zorgon found several buffer overflows in cfsd, a daemon that pushes
encryption services into the Unix(tm) file system. We are not yet sure if
these overflows can successfully be exploited to gain root access to the
machine running the CFS daemon. However, since cfsd can easily be forced
to die, a malicious user can easily perform a denial of service attack to
it.
Debian Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/cfs_1.3.3- 8.1_i386.deb
MD5 checksum: 33651b606e1fa0dc15c9d7256580df84
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1926.html
+---------------------------------+
| cvs | ----------------------------//
+---------------------------------+
Kim Nielsen recently found an internal problem with the CVS server and
reported it to the vuln-dev mailing list. The problem is triggered by an
improperly initialized global variable. A user exploiting this can crash
the CVS server, which may be accessed through the pserver service and
running under a remote user id. It is not yet clear if the remote account
can be exposed, through.
Debian Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/
main/binary-i386/cvs_1.10.7-9_i386.deb
MD5 checksum: af8331fa78feee3029ebdde3e743adf5
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1931.html
+---------------------------------+
| xsane | ----------------------------//
+---------------------------------+
Tim Waugh found several insecure uses of temporary files in the xsane
program, which is used for scanning. This was fixed for Debian/stable by
moving those files into a securely created directory within the /tmp
directory.
Debian Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/
main/binary-i386/xsane_0.50-5.1_i386.deb
MD5 checksum: 069983f5340d5524a78b4bd896c6edb5
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1933.html
+---------------------------------+
| openssh | ----------------------------//
+---------------------------------+
An authorized remote user (i.e. a user that can successfully authenticate
on the target system) may be able to cause sshd to execute arbitrary code
with superuser privileges. A malicious server may be able to cause a
connecting ssh client to execute arbitrary code with the privileges of the
client user.
PLEASE SEE ADVISORY FOR UPDATE
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1938.html
EnGarde Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1937.html
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1940.html
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1939.html
+---------------------------------+
| apache | ----------------------------//
+---------------------------------+
A remote attacker could exploit this vulnerability and execute arbitrary
commands on the server running apache with this module enabled. A probable
way to explore this is via client certificate authentication, where the
attacker would use a specially crafted certificate to overflow this
buffer. Since this vulnerability happens only after the client certificate
has been checked, this means that it would have to be signed by a CA
accepted by the apache server.
Conectiva:
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
apache-1.3.22-1U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
apache-devel-1.3.22- 1U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
apache-doc-1.3.22-1U70_3cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1928.html
+---------------------------------+
| ntop | ----------------------------//
+---------------------------------+
ntop is a UNIX tool that shows the network usage, similar to what the
popular top UNIX command does on the system level. A format string
vulnerability has been discovered on the programmatic level and is
currently known to affect the UNIX version, however, the Windows port of
the program remains untested. The vulnerability allows for remote
arbitrary code execution.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
ntop Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1932.html
+---------------------------------+
| squid | ----------------------------//
+---------------------------------+
"Squid is a high-performance proxy caching server. Various security
issues have been found in Squid up to and including version 2.4.STABLE2.
These were: 1. a memory leak in the SNMP code 2. a crash on
specially-formatted data in FTP URL parsing 3. HTCP would still be active,
even if it was disabled in the config file.
Yellow Dog Linux:
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/
yellowdog-2.1/ppc/squid-2.4.STABLE3-1.7.0.ppc.rpm
6f8f7c0c790de090b1a33ad08834f489
YellowDog Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1935.html
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/
squid-2.3.STABLE4-155.i386.rpm
4b1cff53fddcaf8930ec6738c6763a94
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/
squid-beta-2.4.STABLE2-94.i386.rpm
4ca7f3594ec82b703c6c36c08fb46ecb
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1929.html
+---------------------------------+
| radiusd-cistron | ----------------------------//
+---------------------------------+
The radiusd-cistron package contains a server daemon for the Remote
Authentication Dial-In User Server (RADIUS) client/server security
protocol. Various vulnerabilities have been found in Cistron RADIUS as
well as other RADIUS servers and clients.
Red Hat: i386:
ftp://updates.redhat.com/7.1/en/powertools/
i386/radiusd-cistron-1.6.6-2.i386.rpm
b5c937f5e48d4d3484b64e20f8785b4a
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1930.html
Conectiva:
ftp://atualizacoes.conectiva.com.br/7.0/7.0/RPMS/
radiusd-cistron-1.6.6-1U70_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1936.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.
This archive was generated by hypermail 2b30 : Sat Mar 09 2002 - 04:51:17 PST