+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| March 15th, 2002 Volume 3, Number 11a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for zlib, mod_ssl, xtel, pam_pgsql,
cyrus-sasl, netscape, mod_frontpage, openssh, rsync, gzip, NetBSD kernel,
php, fileutils, and cvs. The vendors include Conectiva, Debian, EnGarde,
FreeBSD, Immunix, Mandrake, NetBSD, Red Hat, Slackware, SuSE, Trustix, and
Yellow Dog Linux. Many serious advisories affecting nearly all Linux
vendors were released this week, it is advisable that you patch your
systems immediately.
ALERT: Significant Vulnerability Afflicts Linux Systems - Recently in a
coordinated effort between all major Linux vendors, a vulnerability in the
zlib library was announced, potentially affecting every installed Linux
system in existance.
Find out more:
http://www.linuxsecurity.com/articles/security_sources_article-4582.html
Security and Simplicity - Are you looking for a solution that provides the
applications necessary to easily create thousands of virtual Web sites,
manage e-mail, DNS, firewalling database functions for an entire
organization, and supports high-speed broadband connections all using a
Web-based front-end? EnGarde Secure Professional provides those features
and more!
http://store.guardiandigital.com/html/eng/493-AA.shtml
FEATURE: Linux Data Hiding and Recovery - Just when you thought your data
was removed forever, Anton Chuvakin shows us how to recover data and even
how data can surruptitiously be hidden within space on the filesystem.
http://www.linuxsecurity.com/feature_stories/data-hiding-forensics.html
FEATURE: Fingerprinting Web Server Attacks - In this article, zenomorph
discusses multiple ways attackers attempt to exploit port 80 to gain
control of a web server. Using this information, an administrator can
learn to detect potential attacks and steps that are necessary to protect
a server from them.
http://www.linuxsecurity.com/feature_stories/fingerprinting-http.html
+---------------------------------+
| zlib | ----------------------------//
+---------------------------------+
The compression library zlib has a flaw in which it attempts to free
memory more than once under certain conditions. This can possibly be
exploited to run arbitrary code in a program that includes zlib. If a
network application running as root is linked to zlib, this could
potentially lead to a remote root compromise. No exploits are known at
this time.
Debian:
PLEASE SEE VENDOR ADVISORY
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1968.html
Mandrake Linux 8.1:
8.1/RPMS/zlib1-1.1.3-16.1mdk.i586.rpm
6dca9c0ff7dac9759d735150139182da
8.1/RPMS/zlib1-devel-1.1.3-16.1mdk.i586.rpm
320d06d5f1acc841965ad6c16db396cf
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1976.html
Mandrake Vendor Advisory [UPDATE]:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1983.html
SuSE Vendor Advisory I:
http://www.linuxsecurity.com/advisories/suse_advisory-1967.html
SuSE Vendor Advisory II:
http://www.linuxsecurity.com/advisories/suse_advisory-1966.html
EnGarde Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1960.html
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1982.html
Red Hat Vendor Advisory I:
http://www.linuxsecurity.com/advisories/redhat_advisory-1965.html
Red Hat Vendor Advisory II:
http://www.linuxsecurity.com/advisories/redhat_advisory-1963.html
Slackware Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-1973.html
+---------------------------------+
| mod_ssl, apache_ssl | ----------------------------//
+---------------------------------+
To exploit the overflow, the server must be configured to require client
certificates, and an attacker must obtain a carefully crafted client
certificate that has been signed by a Certificate Authority which is
trusted by the server. If these conditions are met, it would be possible
for an attacker to execute arbitrary code on the server.
Debian Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/apache-ssl_1.3.9.13-4_i386.deb
MD5 checksum: 5085998b8751242a7e9c59b4806a7b24
http://security.debian.org/dists/stable/updates/main/binary-i386/
libapache-mod-ssl_2.4.10-1.3.9-1potato1_i386.deb
MD5 checksum: e9a64fab4b7891f00b7e66f524ec0ec9
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1951.html
Mandrake Linux 8.1:
8.1/RPMS/mod_ssl-2.8.5-2.1mdk.i586.rpm
020058f4fd26dc78480804caf5cd0044
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1947.html
Red Hat: i386:
ftp://updates.redhat.com/7.2/en/os/i386/mod_ssl-2.8.5-4.i386.rpm
b7c91618cfb9110ce1ad620b9df05ab7
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1941.html
+---------------------------------+
| xtel | ----------------------------//
+---------------------------------+
Several security related problems have been found in the xtell package, a
simple messaging client and server. In detail, these problems contain
several buffer overflows, a problem in connection with symbolic links,
unauthorized directory traversal when the path contains "..". These
problems could lead into an attacker being able to execute arbitrary code
on the server machine. The server runs with nobody privileges by default,
so this would be the account to be exploited.
Debian Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/
main/binary-i386/xtell_1.91.1_i386.deb
MD5 checksum: 15dba43eec2b9b24a04523b27e621bbd
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1964.html
+---------------------------------+
| pam-pgsql | ----------------------------//
+---------------------------------+
The affected versions of the pam-pgsql port contain a vulnerability that
may allow a remote user to cause arbitrary SQL code to be executed.
pam-pgsql constructs a SQL statement to be executed by the PostgreSQL
server in order to lookup user information, verify user passwords, and
change user passwords. The username and password given by the user is
inserted into the SQL statement without any quoting or other safety
checks.
FreeBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1969.html
+---------------------------------+
| cyrus-sasl | ----------------------------//
+---------------------------------+
Affected versions of the cyrus-sasl port contain a format string
vulnerability. The format string vulnerability occurs during a call to the
syslog(3) function.
FreeBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1970.html
+---------------------------------+
| netscape | ----------------------------//
+---------------------------------+
The GIF89a and JPEG standards permit images to have embedded comments, in
which any kind of textual data may be stored. Versions 4.76 and earlier of
the Netscape browser will execute JavaScript contained in such a comment
block, if execution of JavaScript is enabled in the configuration of the
browser.
FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/
linux-netscape-communicator-4.79.tgz
linux-netscape-navigator-4.79.tgz
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1971.html
+---------------------------------+
| mod_frontpage | ----------------------------//
+---------------------------------+
Affected versions of the mod_frontpage port contains several exploitable
buffer overflows in the fpexec wrapper, which is installed setuid root. A
local attacker may obtain superuser privileges by exploiting the buffer
overflow bugs in fpexec.
FreeBSD:
PLEASE SEE VENDOR ADVISORY
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1972.html
Mandrake Linux 8.1:
http://www.mandrakesecure.net/en/ftp.php
8.1/RPMS/mod_frontpage-1.6.1-3.1mdk.i586.rpm
8c2baeebb796353035f8816ed6cdfbed
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1945.html
+---------------------------------+
| openssh | ----------------------------//
+---------------------------------+
Joost Pol found a bug in the channel code of all versions of OpenSSH from
2.0 to 3.0.2. This bug can allow authenticated users with an existing
account on the vulnerable system to obtain root privilege or by a
malicious server attacking a vulnerable client. OpenSSH 3.1 is not
vulnerable to this problem. The provided packages fix this vulnerability.
Mandrake Linux 8.1:
8.1/RPMS/openssh-3.1p1-1.1mdk.i586.rpm
44ff50aad9a9696ee747d201b9a3bd5f
8.1/RPMS/openssh-askpass-3.1p1-1.1mdk.i586.rpm
a8d4315ed3b5fab0e8d8f3abcae36ce7
8.1/RPMS/openssh-askpass-gnome-3.1p1-1.1mdk.i586.rpm
4df4ec7a72c4c5dbda179799738b8bd7
8.1/RPMS/openssh-clients-3.1p1-1.1mdk.i586.rpm
a332044cf9eaeaaae0af923d55678e2b
8.1/RPMS/openssh-server-3.1p1-1.1mdk.i586.rpm
a2a39c0c29d0c3a7660d8c58023edbe4
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1946.html
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-1978.html
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1943.html
YellowDog Linux Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1950.html
Immunix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1961.html
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1948.html
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-1944.html
+---------------------------------+
| rsync | ----------------------------//
+---------------------------------+
Ethan Benson discovered a bug in rsync where the supplementary groups that
the rsync daemon runs as (such as root) would not be removed from the
server process after changing to the specified unprivileged uid and gid.
Mandrake Linux 8.1:
8.1/RPMS/rsync-2.5.4-1.1mdk.i586.rpm
e3733dc91021b997e656fafe86915fe9
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1981.html
Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/
slackware-8.0/patches/packages/rsync.tgz
e88390bae124be2af4b707ad3fbfc791
Slackware Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-1974.html
+---------------------------------+
| gzip | ----------------------------//
+---------------------------------+
There are ftp daemon programs that invoke gzip on demand (like wu-ftpd).
If your systems run these daemons, depending on the configuration it could
lead to a remote root compromise.
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-1977.html
+---------------------------------+
| NetBSD kernel | ----------------------------//
+---------------------------------+
There was a bug in the IPv4 forwarding path, and the inbound SPD (security
policy database) was not consulted on forwarding. As a result, NetBSD
routers configured to be a VPN gateway failed to reject unencrypted
packets.
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-1979.html
+---------------------------------+
| php | ----------------------------//
+---------------------------------+
Stefan Esser of E-matters security discovered and published[2,3] several
vulnerabilities[4] in the php_mime_split function used for file uploads
that could allow an attacker to execute arbitrary commands on the server.
This affects both PHP4 and PHP3.
Conectiva:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1942.html
+---------------------------------+
| fileutils | ----------------------------//
+---------------------------------+
The GNU File Utilities are the basic file-manipulation utilities of the
GNU operating system. Race condition in various utilities from fileutils
GNU package may cause root user to delete the whole filesystem.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1959.html
+---------------------------------+
| cvs | ----------------------------//
+---------------------------------+
Package updated: Patched to link to the shared zlib on the system instead
of statically linking to the included zlib source. Also, use mktemp to
create files in /tmp files more safely.
Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/
slackware-8.0/patches/packages/cvs.tgz
6758d0f323e9ebbd9aa1272c6c9dc482
Slackware Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-1974.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.
This archive was generated by hypermail 2b30 : Mon Mar 18 2002 - 03:22:41 PST