[ISN] Linux Advisory Watch - May 10th 2002

From: InfoSec News (isnat_private)
Date: Sun May 12 2002 - 23:38:08 PDT

  • Next message: InfoSec News: "[ISN] Team tackles Windows security"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  May 10th, 2002                           Volume 3, Number 19a |
    +----------------------------------------------------------------+
     
      Editors:     Dave Wreski                Benjamin Thomas
                   daveat_private     benat_private
     
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the week.It
    includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were releaed for mod python, tcpdump, imlib,
    sysconfig, webmin, netfilter, and dhcp.  The vendors include Conectiva,
    Red Hat, and SuSE.
    
    FTP Attack Case Study Part I: The Analysis This article presents a case
    study of a company network server compromise. The attack and other
    intruder's actions are analyzed. Computer forensics investigation is
    undertaken and results are presented. The article provides an opportunity
    to follow the trail of incident response for the real case.
    
    http://www.linuxsecurity.com/feature_stories/ftp-analysis-part1.html 
    
    
    * FREE SSL Guide from Thawte - Are you planning your Web Server Security?
    Click here to get a FREE Thawte SSL guide and find the answers to all your
    SSL security issues.
    
     --> http://www.gothawte.com/rd249.html 
      
    
    +---------------------------------+
    |  mod python                     | ----------------------------//
    +---------------------------------+  
    
    As stated[1] by Allan Saddi in the mailing list of mod_python, there was a
    vulnerability which would allow a publisher to access an indirectly
    imported module, thus allowing a remote attacker to call functions from
    that module (which is an unexpected and potentially dangerous behavior).
     
     Conectiva: 
     ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
     mod_python-2.7.8-1U8_1cl.i386.rpm 
     
     Conectiva Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-2051.html 
    
     Red Hat 7.3 i386: 
     ftp://updates.redhat.com/7.3/en/os/i386/ 
     mod_python-2.7.8-1.i386.rpm 
     9b9e4a43002cd22f9a8df7fd9784e925 
    
     Red Hat Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/redhat_advisory-2056.html 
      
      
     
    
    
    +---------------------------------+
    |  tcpdump                        | ----------------------------//
    +---------------------------------+  
    
    tcpdump buffer overflows: during a tcpdump code auditing done by FreeBSD
    developers, several buffer overflows were discovered[2] in tcpdump
    versions prior to 3.5. New versions (including 3.6.2) are also vulnerable
    to another buffer overflow[3] in AFS RPC decoding functions, as pointed
    out by Nick Cleaton.
    
     Conectiva: 
     ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
     libpcap-0.6.2-4U8_1cl.i386.rpm 
     ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
     libpcap-devel-0.6.2-4U8_1cl.i386.rpm 
    
     ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
     libpcap-devel-static-0.6.2-4U8_1cl.i386.rpm  
    
     ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
     tcpdump-3.6.2-3U8_1cl.i386.rpm 
    
     Conectiva Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-2052.html 
      
     
    
    +---------------------------------+
    |  imlib                          | ----------------------------//
    +---------------------------------+  
    
    Imlib could, under certain circumstances, revert to using a netpbm library
    which is well known to have security problems and should not be used for
    handling untrusted data. Furthermore a heap corruption could occur in the
    imlib code.
    
     SuSE: 
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     SuSE Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/suse_advisory-2053.html
    
    
    
    
    +---------------------------------+
    |  sysconfig                      | ----------------------------//
    +---------------------------------+  
    
    The ifup-dhcp script which is part of the sysconfig package is responsible
    for setting up network-devices using configuration data obtained from a
    DHCP server by the dhcpcd DHCP client. It is possible for remote attackers
    to feed this script with evil data via spoofed DHCP replies for example.  
    This way ifup-dhcp could be tricked into executing arbitrary commands as
    root. The ifup-dhcp shellscript has been fixed to not source the file
    containing the possible evil data anymore.
    
     SuSE-8.0 
     ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/ 
     sysconfig-0.23.14-60.i386.rpm 
     4d6a9f1a3e1a461ebbea9a6e98f4e894 
    
     SuSE Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/suse_advisory-2054.html
    
    
    
    
    +---------------------------------+
    |  webmin                         | ----------------------------//
    +---------------------------------+  
     
    A vulnerability lies in the communication between the parent process and
    the child process of Webmin and Usermin, which could allow an attacker to
    spoof a session ID as any user already logged in.  This results in the
    possibility for users who are not logged in, to be able to use these
    software tools.
    
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     Webmin Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-2055.html 
     
     Webmin Vendor Advisory 2: 
     http://www.linuxsecurity.com/advisories/other_advisory-2064.html
    
    
    
    
    +---------------------------------+
    |  netfilter                      | ----------------------------//
    +---------------------------------+  
    
    When a NAT rule applies to the first packet of a connection and that
    packet later causes the system to generate an ICMP error message, the ICMP
    error message is sent out with translated addresses included. This address
    information incorrectly gives the IP address to which the connection would
    have been forwarded if the ICMP error message wasnot generated, which
    exposes information about the netfilter configuration (which ports are
    being translated) and about the network topology (which address the ports
    are being forwarded to).  Also, the incorrect ICMP packets may be dropped
    by other intervening stateful firewalls as malformed packets.
    
     Red Hat: 
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     Red Hat Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/redhat_advisory-2057.html
    
    
    
    
    +---------------------------------+
    |   dhcp                          | ----------------------------//
    +---------------------------------+  
    
    Versions ranging from 3 to 3.0.1rc8 (inclusive) have a format string
    vulnerability[1] that could be exploited remotely. Considering the usage
    of the DHCP service, this usually means the local area network in this
    case.
    
     Conectiva: 
     ftp://atualizacoes.conectiva.com.br/8/RPMS/
     dhcp-3.0-3U8_1cl.i386.rpm 
    
     ftp://atualizacoes.conectiva.com.br/8/RPMS/
     dhcp-doc-3.0-3U8_1cl.i386.rpm 
      
     Conectiva Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-2058.html 
    
     DHCP Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-2065.html
    
    
    
    
    +---------------------------------+
    |   OpenBSD                       | ----------------------------//
    +---------------------------------+  
    
    On current OpenBSD systems, any local user (being or not in the wheel
    group) can fill the kernel file descriptors table, leading to a denial of
    service. Because of a flaw in the way the kernel checks closed file
    descriptors 0-2 when running a setuid program, it is possible to combine
    these bugs and earn root access by winning a race condition.
    
     PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
     http://www.linuxsecurity.com/advisories/openbsd_advisory-2062.html
    
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon May 13 2002 - 03:44:55 PDT