[ISN] Linux Advisory Watch - May 17th 2002

From: InfoSec News (isnat_private)
Date: Mon May 20 2002 - 03:23:06 PDT

  • Next message: InfoSec News: "[ISN] 13,000 Credit Reports Stolen by Hackers"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  May 17th, 2002                           Volume 3, Number 20a |
    +----------------------------------------------------------------+
     
      Editors:     Dave Wreski                Benjamin Thomas
                   daveat_private     benat_private
     
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the week.It
    includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were released for icecast, shareutils, fileutils,
    imapd, shadow/pam modules, lukemftp, openssh, tcpdump, and mpg123.  The
    Vendors include Caldera, Mandrake, Red Hat, and SuSE.
    
    * SECURE YOUR APACHE SERVERS WITH 128-BIT SSL ENCRYPTION *
    Guarantee transmitted data integrity, secure all communication
    sessions and more with SSL encryption from Thawte- a leading global
    certificate provider for the Open Source community. Learn more in our
    FREE GUIDE--click here to get it now: 
    
        http://www.gothawte.com/rd250.html 
    
    FTP Attack Case Study Part I: The Analysis 
    This article presents a case study of a company network server compromise.
    The attack and other intruder's actions are analyzed. Computer forensics
    investigation is undertaken and results are presented. The article
    provides an opportunity to follow the trail of incident response for the
    real case.
     
    http://www.linuxsecurity.com/feature_stories/ftp-analysis-part1.html 
     
     
    +---------------------------------+
    |  icecast                        | ----------------------------//
    +---------------------------------+  
    
    Buffer overflows in the icecast server allow remote attackers to execute
    arbitrary code via a long HTTP GET request, as well as allowing denial of
    service attacks.
    
     Caldera:  
     ftp://ftp.caldera.com/pub/updates/OpenLinux/
     3.1.1/Server/current/RPMS 
     icecast-1.3.12-1.i386.rpm 
     83407efa0c40a9ceac02606ae37237f2 
    
     Caldera Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/caldera_advisory-2067.html
    
    
    +---------------------------------+
    |  shareutils                     | ----------------------------//
    +---------------------------------+  
    
    The sharutils package contains a set of tools for encoding and decoding
    packages of files in binary or text format. The uudecode utility would
    create an output file without checking to see if t was about to write to a
    symlink or a pipe.  If a user uses uudecode to extract data into open
    shared directories, such as /tmp, this vulnerability could be used by a
    local attacker to overwrite files or lead to privilege escalation.
    
     Red Hat i386: 
     ftp://updates.redhat.com/7.2/en/os/i386/
     sharutils-4.2.1-8.7.x.i386.rpm 
     38d89d89bb513d216b1a2a954be6d07b 
    
     Red Hat Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/redhat_advisory-2069.html
    
    
    
    +---------------------------------+
    |  fileutils                      | ----------------------------//
    +---------------------------------+  
    
    A race condition in various utilities from the GNU fileutils package may
    cause a root user to delete the whole filesystem. This updates resolves a
    problem in the original fix that would cause an attempt to recursively
    remove a directory with trailing slashes to memory fault.
    
     Caldera: 
     ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/
     Server/current/RPMS/fileutils-4.1-5.i386.rpm 
     d01d42d41800d0b9c1d02c4fec07a79d 
    
     Caldera Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/caldera_advisory-2070.html 
      
    
     Mandrake Linux 8.1: 
     http://www.mandrakesecure.net/en/ftp.php 
     8.1/RPMS/fileutils-4.1-4.1mdk.i586.rpm 
     593e200c8b2f2c83e7a6bb90a54cd853 
    
     Mandrake Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/mandrake_advisory-2075.html
    
      
      
    +---------------------------------+
    |  imapd                          | ----------------------------//
    +---------------------------------+  
    
    A malicious user may construct a malformed request that will cause a
    buffer overflow, allowing the user to run code on the server with the uid
    and gid of the e-mail owner.
    
     Caldera: 
     ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/
     Server/current/RPMS/imap-2000-14.i386.rpm 
     3d4c39ed407a122f963f9f508f908c92 
     imap-devel-2000-14.i386.rpm 
     5c49edd5001471188ed6da5a20413f42 
    
     Caldera Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/caldera_advisory-2071.html
    
    
    
    +---------------------------------+
    |  shadow/pam modules             | ----------------------------//
    +---------------------------------+  
    
    The shadow package contains several useful programs to maintain the
    entries in the /etc/passwd and /etc/shadow files.The SuSE Security Team
    discovered a vulnerability that allows local attackers to destroy the
    contents of these files or to extend the group privileges of certain
    users. This is possible by setting evil filesize limits before invoking
    one of the programs modifying the system files. Depening on the
    permissions of the system binaries this allows a local attacker to gain
    root privileges in the worst case. This however is not possible in a
    default installation.
    
     SuSE i386 Intel Platform: 
     ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/
     shadow-4.0.2-88.i386.rpm 
     a4e0d03ecf7707eb7ca1f0422cae89f1 
    
     ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/
     pam-modules-2002.3.9- 31.i386.rpm 
     70322584f014ac3e2dc2dad0beecdefb 
    
     SuSE Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/suse_advisory-2072.html
    
    
    
    +---------------------------------+
    |  lukemftp                       | ----------------------------//
    +---------------------------------+  
    
    A buffer overflow could be triggered by an malicious ftp server while the
    client parses the PASV ftp command. An attacker who control an ftp server
    to which a client using lukemftp is connected can gain remote access to
    the clients machine with the privileges of the user running lukeftp.
    
     SuSE i386 Intel Platform: 
     ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/
     lukemftp-1.5-249.i386.rpm 
     0ae28f7ca49157bfa5783626d3e82cef 
     SuSE Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/suse_advisory-2073.html
    
    
    
    +---------------------------------+
    |   openssh                       | ----------------------------//
    +---------------------------------+  
    
    A buffer overflow exists in OpenSSH if KerberosTgtPassing or
    AFSTokenPassing has been enabled in the sshd_config file. A malicious
    user, possibly remote, could use this vulnerability to gain privileged
    access to the system.
    
     Caldera: 
     ftp://ftp.caldera.com/pub/updates/OpenLinux/
     3.1.1/Server/current/RPMS/openssh-2.9p2-6.i386.rpm 
     f9a494af5e0e6a8eec419f8f94087f7e 
    
     openssh-askpass-2.9p2-6.i386.rpm 
     b9fcc6352bc4c65f63cda1b0caa2b89c 
    
     openssh-server-2.9p2-6.i386.rpm 
     ff4a5bc7e7b1d4fd3f79c647d11d9162 
    
     Caldera Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/caldera_advisory-2074.html
    
    
    
    +---------------------------------+
    |   tcpdump                       | ----------------------------//
    +---------------------------------+  
    
    Several buffer overflows were found in the tcpdump package by FreeBSD
    developers during a code audit, in versions prior to 3.5.  However, newer
    versions of tcpdump, including 3.6.2, are also vulnerable to another
    buffer overflow in the AFS RPC decoding functions, which was discovered by
    Nick Cleaton.  These vulnerabilities could be used by a remote attacker to
    crash the the tcpdump process or possibly even be exploited to execute
    arbitrary code as the user running tcpdump, which is usually root.
    
     Mandrake Linux 8.2: 
     http://www.mandrakesecure.net/en/ftp.php 
     8.2/RPMS/tcpdump-3.6.2-2.1mdk.i586.rpm 
     8c36a78c9a086c2d582d70d431533650 
    
     Mandrake Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/mandrake_advisory-2076.html
    
    
    
    +---------------------------------+
    |  mpg123                         | ----------------------------//
    +---------------------------------+  
    
    It is possible for mpg321 before version 0.2.9 to segfault if given
    certain specifically crafted data. In the case of network streaming, this
    data would be remotely supplied, which could lead to remote code
    execution. The Common Vulnerabilities and Exposures project
    (cve.mitre.org) has assigned the name CAN-2002-0272 to this issue. It is
    recommended that users of mpg321 upgrade to these errata packages
    containing mpg321 version 0.2.10, which is not vulnerable to this issue.
    
     Red Hat i386: 
     ftp://updates.redhat.com/7.2/en/os/i386/
     mpg321-0.2.9-2.5.i386.rpm 
     303336e4e07e4df3e4d5eaec1411471a 
    
     ftp://updates.redhat.com/7.2/en/os/i386/ 
     libmad-0.14.2b-3.i386.rpm 
     77ea28f34a20a0aa98287bc018240bab 
    
     Red Hat Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/redhat_advisory-2077.html
    
    
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon May 20 2002 - 06:10:01 PDT