+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| September 20th, 2002 Volume 3, Number 38a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for purity, openssl, konqueror, php,
libkvm, libresolv, NetBSD kernel, libc, shutdown, pppd, kdf, ioctl, dns,
nfs, setlocale, postgresql, and libx11. The vendors include Conectiva,
Debian, FreeBSD, NetBSD, and SuSE. NetBSD users should pay close
attention to this issue because a number of critical advisories were
released. For more information, please see the following:
Multiple NetBSD Security Advisories Released/Updated
http://www.linuxsecurity.com/articles/security_sources_article-5711.html
** Concerned about the next threat? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice
award thanks to the depth of its security strategy..." Find out what
the other Linux vendors are not telling you.
--> http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
FEATURE: What is Slapper? - The question of the week: What Slapper? Let me
begin by telling you I am not only describing the Slapper worm, but I am
also describing the Apache/mod_ssl worm, the bugtraq.c worm, and the Modap
worm. In effect, this is just 4 different names for the same nasty worm.
http://www.linuxsecurity.com/feature_stories/feature_story-119.html
+---------------------------------+
| Package: purity | ----------------------------//
| Date: 09-15-2002 |
+---------------------------------+
Description:
Two buffer overflows have been discovered in purity, a game for nerds and
hackers, which is installed setgid games on a Debian system. This problem
could be exploited to gain unauthorized access to the group games. A
malicious user could alter the highscore of several games.
Vendor Alerts:
Debian: i386:
http://security.debian.org/pool/updates/main/p/purity/
purity_1-9.1_i386.deb
Size/MD5 checksum: 27404 6eb60f91f4cd3730bef018115268c568
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2347.html
+---------------------------------+
| Package: openssl | ----------------------------//
| Date: 09-15-2002 |
+---------------------------------+
Description:
The OpenSSL development team has announced that a security audit by
A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has
revealed remotely exploitable buffer overflow conditions in the
OpenSSL code.
Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack
independently discovered by Adi Stav and James Yonan.
Vendor Alerts:
Debian: i386:
http://security.debian.org/pool/updates/main/o/openssl/
libssl-dev_0.9.6c-0.potato.4_i386.deb
Size/MD5 checksum: 1288134 430658383c6c37cfafbddd16a492f407
http://security.debian.org/pool/updates/main/o/openssl/
libssl0.9.6_0.9.6c-0.potato.4_i386.deb
Size/MD5 checksum: 463668 37e1e010c4eab318a48b8f1de3c73910
http://security.debian.org/pool/updates/main/o/openssl/
openssl_0.9.6c-0.potato.4_i386.deb
Size/MD5 checksum: 724530 82241d5d38dc62b0e4d53f41303e8829
http://security.debian.org/pool/updates/main/o/openssl094/
libssl09_0.9.4-6.potato.0_i386.deb
Size/MD5 checksum: 1272012 0e9c6f0a2fde3e72eb4b3c88e57ad9fa
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2348.html
Debian Vendor Advisory (UPDATE):
http://www.linuxsecurity.com/advisories/debian_advisory-2373.html
NetBSD:
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2353.html
NetBSD Vendor Advisory 2:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2363.html
+---------------------------------+
| Package: konqueror | ----------------------------//
| Date: 09-15-2002 |
+---------------------------------+
Description:
A cross site scripting problem has been discovered in Konquerer, a
famous browser for KDE and other programs using KHTML. The KDE team
reports that Konqueror's cross site scripting protection fails to
initialize the domains on sub-(i)frames correctly. As a result,
Javascript is able to access any foreign subframe which is defined in
the HTML source. Users of Konqueror and other KDE software that uses
the KHTML rendering engine may become victim of a cookie stealing and
other cross site scripting attacks.
Vendor Alerts:
Debian: i386:
http://security.debian.org/pool/updates/main/k/kdelibs/
kdelibs3_2.2.2-13.woody.3_i386.deb
Size/MD5 checksum: 6618086 c876d1e96c2b9a74475204ed24f651d2
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2350.html
+---------------------------------+
| Package: php | ----------------------------//
| Date: 09-15-2002 |
+---------------------------------+
Description:
Wojciech Purczynski found out that it is possible for scripts to pass
arbitrary text to sendmail as commandline extension when sending a
mail through PHP even when safe_mode is turned on. Passing 5th
argument should be disabled if PHP is configured in safe_mode, which
is the case for newer PHP versions and for the versions below. This
does not affect PHP3, though.
Vendor Alerts:
Debian: i386:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2375.html
+---------------------------------+
| Package: libkvm | ----------------------------//
| Date: 09-15-2002 |
+---------------------------------+
Description:
The kvm(3) library provides a uniform interface for accessing kernel
virtual memory images, including live systems and crash dumps. Access to
live systems is via /dev/mem and /dev/kmem. Memory can be read and
written, kernel symbol addresses can be looked up efficiently, and
information about user processes can be gathered.
Vendor Alerts:
FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/
patches/SA-02:39/libkvm.patch
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2349.html
FreeBSD Vendor Advisory (UPDATE):
http://www.linuxsecurity.com/advisories/freebsd_advisory-2371.html
+---------------------------------+
| Package: libresolv | ----------------------------//
| Date: 09-17-2002 |
+---------------------------------+
Description:
There was a buffer-length computation bug in BIND-based DNS resolver
code. A malicious DNS response packet may be able to overwrite data
outside the buffer, and it could lead to attacks as serious as a
remote root exploit, though there are no public exploits in
circulation at this time.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2351.html
+---------------------------------+
| Package: NetBSD kernel | ----------------------------//
| Date: 09-17-2002 |
+---------------------------------+
Description:
A Session leader can use the TIOCSCTTY ioctl to set the session
controlling terminal. This ioctl can be called any number of times. The
call unconditionally raised the hold count of a kernel structure shared
between processes in the same session. It was possible to overflow the
structure counter, and thus arrange for the structure memory to be freed
prematurely, and possibly re-used. This could cause a kernel panic or
incorrect operation the next time the session structure is accessed from
the context of other processes which are part of the former session.
Vendor Alerts: NetBSD:
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/
SA2002-007-tiocsctty.patch
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2352.html
+---------------------------------+
| Package: libc | ----------------------------//
| Date: 09-19-2002 |
+---------------------------------+
Description:
Integer overflows exist in the RPC code in libc. These cause a buffer
to be mistakenly allocated too small, and then overflown. The
Automounter amd(8) and its query tool amq(8), and the rusers(1)
client binary use the flawed code in a way which could be
exploitable. Other uses of the RPC functions have been examined and
are believed to not be exploitable.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2355.html
NetBSD Vendor Advisory (RPX XDR):
http://www.linuxsecurity.com/advisories/netbsd_advisory-2362.html
+---------------------------------+
| Package: shutdown | ----------------------------//
| Date: 09-19-2002 |
+---------------------------------+
Description:
shutdown(s, SHUT_RD) is used to indicate that there should be no
inbound traffic expected on the socket. There was mistake in TCP
with respect to the handling of shutdown'ed socket, leading to
unexpected kernel resource consumption and unexpected behavior.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2359.html
+---------------------------------+
| Package: fd_set (pppd) | ----------------------------//
| Date: 09-19-2002 |
+---------------------------------+
Description:
The IPv4 multicast-related tools mrinfo(1) and mtrace(1), and the PPP
daemon pppd(8), are setuid root binaries. A malicious local user can
cause a buffer overrun in these programs by filling file descriptor
tables before exec'ing them, which could lead to local root
compromise.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2358.html
NetBSD Vendor Advisory fd_set:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2369.html
NetBSD Vendor Advisory pppd:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2370.html
+---------------------------------+
| Package: kdf | ----------------------------//
| Date: 09-19-2002 |
+---------------------------------+
Description:
Kf and kfd are used to forward Kerberos credentials in a stand-alone
fashion, and come from the Heimdal Kerberos implementation used by
NetBSD. In Heimdal releases earlier than 0.5, these programs have
multiple security issues, including possible buffer overruns.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2360.html
+---------------------------------+
| Package: ioctl | ----------------------------//
| Date: 09-5-2002 |
+---------------------------------+
Description:
A Session leader can use the TIOCSCTTY ioctl to set the session
controlling terminal. This ioctl can be called any number of times.
The call unconditionally raised the hold count of a kernel structure
shared between processes in the same session. It was possible to
overflow the structure counter, and thus arrange for the structure
memory to be freed prematurely, and possibly re-used. This could
cause a kernel panic or incorrect operation the next time the session
structure is accessed from the context of other processes which are
part of the former session.
Vendor Alerts:
NetBSD:
ftp://ftp.netbsd.org/pub/NetBSD/security/patches/
SA2002-007-tiocsctty.patch
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2364.html
+---------------------------------+
| Package: dns | ----------------------------//
| Date: 09-5-2002 |
+---------------------------------+
Description:
There was a buffer-length computation bug in BIND-based DNS resolver
code. A malicious DNS response packet may be able to overwrite data
outside the buffer, and it could lead to attacks as serious as a
remote root exploit, though there are no public exploits in
circulation at this time.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2365.html
+---------------------------------+
| Package: nfs | ----------------------------//
| Date: 09-5-2002 |
+---------------------------------+
Description:
The Network File System (NFS) allows a host to export some or all of
its filesystems, or parts of them, so that other hosts can access
them over the network and mount them as if they were on local disks.
NFS is built on top of the Sun Remote Procedure Call (RPC) framework.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2366.html
+---------------------------------+
| Package: setlocale | ----------------------------//
| Date: 09-5-2002 |
+---------------------------------+
Description:
There was a boundary checking bug of array suffix in setlocale()
function in libc. If the setlocale() function is used with arguments
satisfying a specific condition (see below), there is a possibility
that this could be exploitable.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2367.html
+---------------------------------+
| Package: postgresql | ----------------------------//
| Date: 09-19-2002 |
+---------------------------------+
Description:
In order to exploit any of these vulnerabilities, it is necessary for
the attacker to be able to query the database somehow. Some
scenarios where this could happen: The attacker already has an
account in the database serve and can execute queries.
Vendor Alerts:
Connectiva:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Connectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2376.html
+---------------------------------+
| Package: libX11 | ----------------------------//
| Date: 09-18-2002 |
+---------------------------------+
Description:
The xf86 package contains various libraries and programs which are
fundamental for the X server to function. The libX11.so library from
this package dynamically loads other libraries where the pathname is
controlled by the user invoking the program linked against libX11.so.
Unfortunately, libX11.so also behaves the same way when linked
against setuid programs. This behavior allows local users to execute
arbitrary code under a different UID which can be the root-UID in the
worst case.
Vendor Alerts:
SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/x1/
xshared-4.2.0-174.i386.rpm
2a515055a811de5b465d016ffa77a09c
ftp://ftp.suse.com/pub/suse/i386/update/8.0/x2/
xdevel-4.2.0-174.i386.rpm
67ddeb24b04b8c2badb7a039d9ea270e
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2374.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 03:42:13 PDT