[ISN] Linux Advisory Watch - May 31st 2002

From: InfoSec News (isnat_private)
Date: Mon Jun 03 2002 - 03:16:28 PDT

  • Next message: InfoSec News: "[ISN] NSA Launches Ad Campaign Urging Secrecy"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  May 31st, 2002                           Volume 3, Number 22a |
    +----------------------------------------------------------------+
     
      Editors:     Dave Wreski                Benjamin Thomas
                   daveat_private     benat_private
     
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the week.It
    includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were released for k5su, bzip2, kernel, rc, imap,
    perl-Digest-MD5, fetchmail, dhcp, mailman, mozilla, nss_ldap, and tcpdump.  
    The vendors include Conectiva, FreeBSD, Mandrake, Red Hat, and SuSE.
    
     
    FEATURE: Flying Pigs: Snorting Next Generation Secure Remote Log Servers
    over TCP:
    
    A Comprehensive Guide to Building Encrypted, Secure Remote Syslog-ng
    Servers with the Snort Intrusion Detection System.
    
       http://www.linuxsecurity.com/feature_stories/snortlog-part1.html
    
    
    ** Build Complete Internet Presence Quickly and Securely! **  
     
    EnGarde Secure Linux has everything necessary to create thousands of
    virtual Web sites, manage e-mail, DNS, firewalling, and database functions
    for an entire organization, all using a secure Web-based front-end.
    Engineered to be secure and easy to use!
      
     --> http://www.guardiandigital.com/promo/ls230502.html 
    
    
    +---------------------------------+
    |  k5su                           | ----------------------------//
    +---------------------------------+  
    
    Contrary to the expectations of many BSD system administrators, users not
    in group `wheel' may use k5su to attempt to obtain superuser privileges.  
    Note that this would require knowledge of the root account password, or an
    explicit entry in the Kerberos 5 `.k5login' ACL for the root account.
    
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     FreeBSD Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/freebsd_advisory-2094.html
    
    
    
    
    +---------------------------------+
    |  bzip2                          | ----------------------------//
    +---------------------------------+  
    
    Files may be inadvertently overwritten without warning. Due to the race
    condition between creating files and setting proper permissions, a local
    user may be able to read the contents of files regardless of their
    intended permissions. Decompressed files that were originally pointed to
    by a symbolic link may end up with in incorrect permissions, allowing
    local users to view their contents.
    
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     FreeBSD Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/freebsd_advisory-2095.html
    
    
    
    
    +---------------------------------+
    |  FreeBSD kernel                 | ----------------------------//
    +---------------------------------+ 
    
    By simply connecting to a socket using accept filtering and holding a few
    hundred sockets open (~190 with the default backlog value), one may deny
    access to a service.  In addition to malicious users, this affect has also
    been reported to be caused by worms such as Code Red which generate URLs
    that do not meet the http accept filter's criteria.
    
     FreeBSD: 
     ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ 
     patches/SA-02:26/accept.patch 
    
     FreeBSD Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/freebsd_advisory-2102.html
    
    
    
    
    +---------------------------------+
    |  rc                             | ----------------------------//
    +---------------------------------+ 
    
    Users may remove the contents of arbitrary directories if the
    /tmp/.X11-unix directory does not already exist and the system can be
    enticed to reboot (or the user can wait until the next system maintenance
    window).
    
     FreeBSD: 
     ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ 
     patches/SA-02:27/rc.patch 
    
     FreeBSD Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/freebsd_advisory-2103.html
    
    
    
    +---------------------------------+
    |  imap                           | ----------------------------//
    +---------------------------------+ 
    
    A buffer overflow was discovered in the imap server that could allow a
    malicious user to run code on the server with the uid and gid of the email
    owner by constructing a malformed request that would trigger the buffer
    overflow.  However, the user must successfully authenticate to the imap
    service in order to exploit it, which limits the scope of the
    vulnerability somewhat, unless you are a free mail provider or run a mail
    service where users do not already have shell access to the system.
    
     Mandrake Linux 8.2: 
     8.2/RPMS/imap-2001a-5.1mdk.i586.rpm 
     6f76f364c6c5c9ba37a200bfec94021c 
    
     8.2/RPMS/imap-devel-2001a-5.1mdk.i586.rpm 
     43729a72c87d22c1b711f89c767be6f3 
    
     http://www.mandrakesecure.net/en/ftp.php 
    
     Mandrake Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/mandrake_advisory-2091.html 
    
    
     Conectiva: 
     ftp://atualizacoes.conectiva.com.br/8/RPMS/] 
     imap-2000c-12U8_2cl.i386.rpm 
    
     ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
     imap-devel-2000c-12U8_2cl.i386.rpm 
    
     ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
     imap-devel-static-2000c-12U8_2cl.i386.rpm 
    
     ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
     imap-doc-2000c-12U8_2cl.i386.rpm 
    
     Conectiva Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-2087.html 
      
    
     Red Hat 7.2: i386: 
     ftp://updates.redhat.com/7.2/en/os/i386/ 
     imap-2001a-1.72.0.i386.rpm 
     d2d9a10cb6c8faed062da4f21d8fb7e5 
    
     ftp://updates.redhat.com/7.2/en/os/i386/ 
     imap-devel-2001a-1.72.0.i386.rpm 
     21feec5a469ff71e706173199ffc3856 
    
     Red Hat Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/redhat_advisory-2088.html
    
    
    +---------------------------------+
    |  perl-Digest-MD5                | ----------------------------//
    +---------------------------------+ 
    
    A bug exists in the UTF8 interaction between the perl-Digest-MD5 module
    and perl that results in UTF8 strings having improper MD5 digests.  The
    2.20 version of the module corrects this problem.
    
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     Mandrake Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/mandrake_advisory-2092.html
    
    
    
    
    +---------------------------------+
    |  fetchmail                      | ----------------------------//
    +---------------------------------+ 
    
    A problem was discovered with versions of fetchmail prior to 5.9.10 that
    was triggered by retreiving mail from an IMAP server.  The fetchmail
    client will allocate an array to store the sizes of the messages it is
    attempting to retrieve. This array size is determined by the number of
    messages the server is claiming to have, and fetchmail would not check
    whether or not the number of messages the server was claiming was too
    high.  This would allow a malicious server to make the fetchmail process
    write data outside of the array bounds.
    
     Mandrake Linux 8.2: 
     8.2/RPMS/fetchmail-5.9.11-6.1mdk.i586.rpm 
     62ae12e980691928fb97a53665ea8aec 
    
     8.2/RPMS/fetchmail-daemon-5.9.11-6.1mdk.i586.rpm 
     2421a5a2606b79e9e0c2a4336d7314e2 
    
     8.2/RPMS/fetchmailconf-5.9.11-6.1mdk.i586.rpm 
     aa06981d47199bce1d67ae6dee07581e 
    
     http://www.mandrakesecure.net/en/ftp.php 
    
     Mandrake Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/mandrake_advisory-2093.html
    
    
      
    +---------------------------------+
    |  dhcp                           | ----------------------------//
    +---------------------------------+ 
    
    Fermin J. Serna discovered a problem in the dhcp server and client package
    from versions 3.0 to 3.0.1rc8, which are affected by a format string
    vulnerability that can be exploited remotely.  By default, these versions
    of DHCP are compiled with the dns update feature enabled, which allows
    DHCP to update DNS records.  The code that logs this update has an
    exploitable format string vulnerability; the update message can contain
    data provided by the attacker, such as a hostname.  A successful
    exploitation could give the attacker elevated privileges equivalent to the
    user running the DHCP daemon, which is the user dhcpd in Mandrake Linux
    8.x, but root in earlier versions.
    
     Mandrake Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/mandrake_advisory-2099.html
    
      
    
    +---------------------------------+
    |  mailman                        | ----------------------------//
    +---------------------------------+ 
    
    According to this announcement, "office" reported such a
    vulnerability in the login page, and Tristan Roddis reported one in
    the Pipermail index summaries. 
    
     Conectiva: 
     ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
     mailman-2.0.11-1U8_1cl.i386.rpm 
    
     Mandrake Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-2089.html
    
    
      
    
    +---------------------------------+
    |  mozilla                        | ----------------------------//
    +---------------------------------+ 
    
    GreyMagic Security found[1] a vulnerability[2] in mozilla prior to version
    1.0rc1 which allows a hostile site to read and list user files. The
    vulnerability was related to the XMLHTTP, a component that is primarily
    used for retrieving XML documents from a web server.
    
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     Conectiva Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/other_advisory-2098.html
    
    
      
    +---------------------------------+
    |  nss_ldap                       | ----------------------------//
    +---------------------------------+ 
    
    Updated nss_ldap packages are now available for Red Hat Linux 6.2, 7.0,
    7.1,7.2, and 7.3. These packages fix a string format vulnerability in the
    pam_ldap module.
    
     Red Hat Linux 7.3  i386: 
     ftp://updates.redhat.com/7.3/en/os/i386/ 
     nss_ldap-189-2.i386.rpm 
     d2b2402e6c59f886556872d6b2bc2f16 
     
     Red Hat Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/redhat_advisory-2090.html
    
    
      
    +---------------------------------+
    |  tcpdump                        | ----------------------------//
    +---------------------------------+ 
    
    Updated tcpdump, libpcap, and arpwatch packages are available for Red Hat
    Linux 6.2 and 7.x. These updates close a buffer overflow when handling NFS
    packets.
    
     Red Hat Linux 7.2 i386: 
     ftp://updates.redhat.com/7.2/en/os/i386/ 
     tcpdump-3.6.2-11.7.2.0.i386.rpm 
     cc168b456fbde106ad1879fe7346c1ee 
    
     ftp://updates.redhat.com/7.2/en/os/i386/ 
     libpcap-0.6.2-11.7.2.0.i386.rpm 
     f26ebb5d1cbb91d4b5effd9174f1728d 
    
     ftp://updates.redhat.com/7.2/en/os/i386/ 
     arpwatch-2.1a11-11.7.2.0.i386.rpm 
     74863a3b3110d2dbb03a03c1ad213152 
    
     Red Hat Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/redhat_advisory-2100.html 
    
     SuSE Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/suse_advisory-2097.html
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 07:05:52 PDT