+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| May 31st, 2002 Volume 3, Number 22a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for k5su, bzip2, kernel, rc, imap,
perl-Digest-MD5, fetchmail, dhcp, mailman, mozilla, nss_ldap, and tcpdump.
The vendors include Conectiva, FreeBSD, Mandrake, Red Hat, and SuSE.
FEATURE: Flying Pigs: Snorting Next Generation Secure Remote Log Servers
over TCP:
A Comprehensive Guide to Building Encrypted, Secure Remote Syslog-ng
Servers with the Snort Intrusion Detection System.
http://www.linuxsecurity.com/feature_stories/snortlog-part1.html
** Build Complete Internet Presence Quickly and Securely! **
EnGarde Secure Linux has everything necessary to create thousands of
virtual Web sites, manage e-mail, DNS, firewalling, and database functions
for an entire organization, all using a secure Web-based front-end.
Engineered to be secure and easy to use!
--> http://www.guardiandigital.com/promo/ls230502.html
+---------------------------------+
| k5su | ----------------------------//
+---------------------------------+
Contrary to the expectations of many BSD system administrators, users not
in group `wheel' may use k5su to attempt to obtain superuser privileges.
Note that this would require knowledge of the root account password, or an
explicit entry in the Kerberos 5 `.k5login' ACL for the root account.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2094.html
+---------------------------------+
| bzip2 | ----------------------------//
+---------------------------------+
Files may be inadvertently overwritten without warning. Due to the race
condition between creating files and setting proper permissions, a local
user may be able to read the contents of files regardless of their
intended permissions. Decompressed files that were originally pointed to
by a symbolic link may end up with in incorrect permissions, allowing
local users to view their contents.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2095.html
+---------------------------------+
| FreeBSD kernel | ----------------------------//
+---------------------------------+
By simply connecting to a socket using accept filtering and holding a few
hundred sockets open (~190 with the default backlog value), one may deny
access to a service. In addition to malicious users, this affect has also
been reported to be caused by worms such as Code Red which generate URLs
that do not meet the http accept filter's criteria.
FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/
patches/SA-02:26/accept.patch
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2102.html
+---------------------------------+
| rc | ----------------------------//
+---------------------------------+
Users may remove the contents of arbitrary directories if the
/tmp/.X11-unix directory does not already exist and the system can be
enticed to reboot (or the user can wait until the next system maintenance
window).
FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/
patches/SA-02:27/rc.patch
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2103.html
+---------------------------------+
| imap | ----------------------------//
+---------------------------------+
A buffer overflow was discovered in the imap server that could allow a
malicious user to run code on the server with the uid and gid of the email
owner by constructing a malformed request that would trigger the buffer
overflow. However, the user must successfully authenticate to the imap
service in order to exploit it, which limits the scope of the
vulnerability somewhat, unless you are a free mail provider or run a mail
service where users do not already have shell access to the system.
Mandrake Linux 8.2:
8.2/RPMS/imap-2001a-5.1mdk.i586.rpm
6f76f364c6c5c9ba37a200bfec94021c
8.2/RPMS/imap-devel-2001a-5.1mdk.i586.rpm
43729a72c87d22c1b711f89c767be6f3
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2091.html
Conectiva:
ftp://atualizacoes.conectiva.com.br/8/RPMS/]
imap-2000c-12U8_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
imap-devel-2000c-12U8_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
imap-devel-static-2000c-12U8_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
imap-doc-2000c-12U8_2cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2087.html
Red Hat 7.2: i386:
ftp://updates.redhat.com/7.2/en/os/i386/
imap-2001a-1.72.0.i386.rpm
d2d9a10cb6c8faed062da4f21d8fb7e5
ftp://updates.redhat.com/7.2/en/os/i386/
imap-devel-2001a-1.72.0.i386.rpm
21feec5a469ff71e706173199ffc3856
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2088.html
+---------------------------------+
| perl-Digest-MD5 | ----------------------------//
+---------------------------------+
A bug exists in the UTF8 interaction between the perl-Digest-MD5 module
and perl that results in UTF8 strings having improper MD5 digests. The
2.20 version of the module corrects this problem.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2092.html
+---------------------------------+
| fetchmail | ----------------------------//
+---------------------------------+
A problem was discovered with versions of fetchmail prior to 5.9.10 that
was triggered by retreiving mail from an IMAP server. The fetchmail
client will allocate an array to store the sizes of the messages it is
attempting to retrieve. This array size is determined by the number of
messages the server is claiming to have, and fetchmail would not check
whether or not the number of messages the server was claiming was too
high. This would allow a malicious server to make the fetchmail process
write data outside of the array bounds.
Mandrake Linux 8.2:
8.2/RPMS/fetchmail-5.9.11-6.1mdk.i586.rpm
62ae12e980691928fb97a53665ea8aec
8.2/RPMS/fetchmail-daemon-5.9.11-6.1mdk.i586.rpm
2421a5a2606b79e9e0c2a4336d7314e2
8.2/RPMS/fetchmailconf-5.9.11-6.1mdk.i586.rpm
aa06981d47199bce1d67ae6dee07581e
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2093.html
+---------------------------------+
| dhcp | ----------------------------//
+---------------------------------+
Fermin J. Serna discovered a problem in the dhcp server and client package
from versions 3.0 to 3.0.1rc8, which are affected by a format string
vulnerability that can be exploited remotely. By default, these versions
of DHCP are compiled with the dns update feature enabled, which allows
DHCP to update DNS records. The code that logs this update has an
exploitable format string vulnerability; the update message can contain
data provided by the attacker, such as a hostname. A successful
exploitation could give the attacker elevated privileges equivalent to the
user running the DHCP daemon, which is the user dhcpd in Mandrake Linux
8.x, but root in earlier versions.
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2099.html
+---------------------------------+
| mailman | ----------------------------//
+---------------------------------+
According to this announcement, "office" reported such a
vulnerability in the login page, and Tristan Roddis reported one in
the Pipermail index summaries.
Conectiva:
ftp://atualizacoes.conectiva.com.br/8/RPMS/
mailman-2.0.11-1U8_1cl.i386.rpm
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2089.html
+---------------------------------+
| mozilla | ----------------------------//
+---------------------------------+
GreyMagic Security found[1] a vulnerability[2] in mozilla prior to version
1.0rc1 which allows a hostile site to read and list user files. The
vulnerability was related to the XMLHTTP, a component that is primarily
used for retrieving XML documents from a web server.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2098.html
+---------------------------------+
| nss_ldap | ----------------------------//
+---------------------------------+
Updated nss_ldap packages are now available for Red Hat Linux 6.2, 7.0,
7.1,7.2, and 7.3. These packages fix a string format vulnerability in the
pam_ldap module.
Red Hat Linux 7.3 i386:
ftp://updates.redhat.com/7.3/en/os/i386/
nss_ldap-189-2.i386.rpm
d2b2402e6c59f886556872d6b2bc2f16
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2090.html
+---------------------------------+
| tcpdump | ----------------------------//
+---------------------------------+
Updated tcpdump, libpcap, and arpwatch packages are available for Red Hat
Linux 6.2 and 7.x. These updates close a buffer overflow when handling NFS
packets.
Red Hat Linux 7.2 i386:
ftp://updates.redhat.com/7.2/en/os/i386/
tcpdump-3.6.2-11.7.2.0.i386.rpm
cc168b456fbde106ad1879fe7346c1ee
ftp://updates.redhat.com/7.2/en/os/i386/
libpcap-0.6.2-11.7.2.0.i386.rpm
f26ebb5d1cbb91d4b5effd9174f1728d
ftp://updates.redhat.com/7.2/en/os/i386/
arpwatch-2.1a11-11.7.2.0.i386.rpm
74863a3b3110d2dbb03a03c1ad213152
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2100.html
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2097.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 07:05:52 PDT