[ISN] Linux Advisory Watch - November 15th 2002

From: InfoSec News (isnat_private)
Date: Mon Nov 18 2002 - 05:26:45 PST

  • Next message: InfoSec News: "[ISN] Annual Computer Security Applications Conference, Dec 9 - 13 2002"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  November 15th, 2002                      Volume 3, Number 46a |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                Benjamin Thomas
                   daveat_private     benat_private
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilitiaes that have been announced throughout the week.
    It includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were released for PXE, libpng, python, html2ps,
    kdenetwork, masqmail, apache-perl, bind, kadmind, smrsh, resolver,
    perl-MailTools, nss_ldap, php, traceroute, kpgp, apache, kdelibs, and
    syslog-ng.  The distributors include Caldera, Debian, Guardian Digital's
    EnGarde Secure Linux, FreeBSD, Gentoo, Red Hat, and SuSE.
    
    Concerned about the next threat? EnGarde is the undisputed winner!
    Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
    Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
    thanks to the depth of its security strategy..." Find out what the other
    Linux vendors are not telling you.
    
    http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
    
    FEATURE:  Security: Physical and Service (1 of 3) - The first installation
    of a 3 part article covering everything from physical security and service
    security to LAMP security (Linux Apache MySQL PHP).
    
     http://www.linuxsecurity.com/feature_stories/feature_story-128.html
    
    
    FEATURE:  Security: Apache (2 of 3) - This is the second installation of a
    3 part article on LAMP (Linux Apache MySQL PHP). Apache is the most widely
    used HTTP-server in the world today.
    
     http://www.linuxsecurity.com/feature_stories/feature_story-129.html
    
    
    +---------------------------------+
    |  Package: PXE                   | ----------------------------//
    |  Date: 11-11-2002               |
    +---------------------------------+
    
    Description:
    The PXE server can be crashed by using corrupt DHCP packets. This bug
    could be used to cause a denial-of-service attack.
    
    Vendor Alerts:
    
     Caldera:
      ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
      Server/CSSA-2002-044.0/RPMS
      pxe-0.1-33.i386.rpm
      75380c0629500bcb6ac3185fd7f68cf9
    
      Caldera Vendor Advisory:
      http://www.linuxsecurity.com/advisories/caldera_advisory-2551.html
    
    
    
    +---------------------------------+
    |  Package: libpng                | ----------------------------//
    |  Date: 11-12-2002               |
    +---------------------------------+
    
    Description:
    There are two buffer overflow vulnerabilities in the libpng code:one
    of which can allow attackers to cause a denial of service, and the
    other that can cause a denial of service with the possibility of
    executing arbitrary code.
    
    Vendor Alerts:
    
     Caldera:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Caldera Vendor Advisory:
      http://www.linuxsecurity.com/advisories/caldera_advisory-2558.html
    
    
    
    
    +---------------------------------+
    |  Package: python                | ----------------------------//
    |  Date: 11-14-2002               |
    +---------------------------------+
    
    Description:
    os._execvpe from os.py in Python creates temporary files with
    predictable names, which could allow local users to execute arbitrary
    code via a symlink attack.
    
    Vendor Alerts:
    
     Caldera:
      ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
      Server/CSSA-2002-045.0/RPMS
      python-1.5.2-23.i386.rpm
      d02a87d515a2e0295b61a70e21d85d67
    
      python-devel-1.5.2-23.i386.rpm
      f026986740ce3b24aa75a6ef6d6f813d
    
      python-docs-1.5.2-23.i386.rpm
      a4d8a3a8a6011f4d87d1a3c3e75150d1
    
      python-tools-1.5.2-23.i386.rpm
      6283c3abfb5a339d6f3c8e1b2b0304fc
    
      Caldera Vendor Advisory:
      http://www.linuxsecurity.com/advisories/caldera_advisory-2573.html
    
    
    
    
    +---------------------------------+
    |  Package: html2ps               | ----------------------------//
    |  Date: 11-08-2002               |
    +---------------------------------+
    
    Description:
    The SuSE Security Team found a vulnerability in html2ps, a HTML to
    PostScript converter, that opened files based on unsanitized input
    insecurely.  This problem can be exploited when html2ps is installed
    as filter within lrpng and the attacker has previously gained access
    to the lp account.
    
    Vendor Alerts:
    
     Debian:
      http://security.debian.org/pool/updates/main/h/html2ps/
      html2ps_1.0b1-8.1_all.deb
      Size/MD5 checksum:   134728 5932b4a4d5942c839b1a65817becf641
    
      Debian Vendor Advisory:
      http://www.linuxsecurity.com/advisories/debian_advisory-2545.html
    
    
    
    +---------------------------------+
    |  Package: kdenetwork            | ----------------------------//
    |  Date: 11-11-2002               |
    +---------------------------------+
    
    Description:
    It is possible for a local attacker to exploit a buffer overflow
    condition in resLISa, a restricted version of KLISa.  The
    vulnerability exists in the parsing of the LOGNAME environment
    variable, an overly long value will overwrite the instruction pointer
    thereby allowing an attacker to seize control of the executable.
    
    Vendor Alerts:
    
     Debian:
      http://security.debian.org/pool/updates/main/k/
      kdenetwork/klisa_2.2.2-14.2_i386.deb
      Size/MD5 checksum:   150248 447ca978df2eabe8971f0106d75dd5df
    
      Debian Vendor Advisory:
      http://www.linuxsecurity.com/advisories/debian_advisory-2549.html
    
    
     SuSE:
    
      SuSE Vendor Advisory:
      http://www.linuxsecurity.com/advisories/suse_advisory-2553.html
    
    
    
    +---------------------------------+
    |  Package: masqmail              | ----------------------------//
    |  Date: 11-12-2002               |
    +---------------------------------+
    
    Description:
    A set of buffer overflows have been discovered in masqmail, a mail
    transport agent for hosts without permanent internet connection.  In
    addition to this privileges were dropped only after reading a user
    supplied configuration file.  Together this could be exploited to
    gain unauthorized root access to the machine on which masqmail is
    installed.
    
    Vendor Alerts:
    
     Debian:
      http://security.debian.org/pool/updates/main/m/
      masqmail/masqmail_0.1.16-2.1_i386.deb
      Size/MD5 checksum:	88358 586f60f60d81dc17379df547f5796f8a
    
      Debian Vendor Advisory:
      http://www.linuxsecurity.com/advisories/debian_advisory-2555.html
    
    
    
    
    +---------------------------------+
    |  Package: apache-perl           | ----------------------------//
    |  Date: 11-13-2002               |
    +---------------------------------+
    
    Description:
    These vulnerabilities could allow an attacker to enact a denial of
    service against a server or execute a cross site scripting attack, or
    steal cookies from other web site users.
    
    Vendor Alerts:
    
     Debian:
      http://security.debian.org/pool/updates/main/a/apache-perl/
      apache-perl_1.3.9-14.1-1.21.20000309-1.1_i386.deb
      Size/MD5 checksum:   956320 da48dac81fbc5f66e7f9f350c2eb90bb
    
      Debian Vendor Advisory:
      http://www.linuxsecurity.com/advisories/debian_advisory-2563.html
    
    
    
    
    +---------------------------------+
    |  Package: bind                  | ----------------------------//
    |  Date: 11-14-2002               |
    +---------------------------------+
    
    Description:
    A buffer overflow in BIND 8 versions 8.3.3 and earlier allows a
    remote attacker to execute arbitrary code via a certain DNS server
    response containing SIG resource records (RR).	This buffer overflow
    can be exploited to obtain access to the victim host under the
    account the named process is running with, usually root.
    
    Vendor Alerts:
    
     Debian:
      http://security.debian.org/pool/updates/main/b/bind/
      dnsutils_8.2.3-0.potato.3_i386.deb
      Size/MD5 checksum:   340444 31b08eaeb38c0df2ed1cb6cb6fa3f5de
    
      http://security.debian.org/pool/updates/main/b/bind/
      bind_8.2.3-0.potato.3_i386.deb
      Size/MD5 checksum:   572016 540d025d851c207596f02f293d32dbca
    
      http://security.debian.org/pool/updates/main/b/bind/
      bind-dev_8.2.3-0.potato.3_i386.deb
      Size/MD5 checksum:   309622 476724d25b348bdfa3f314bf8777e05a
    
    
      Debian Vendor Advisory:
      http://www.linuxsecurity.com/advisories/debian_advisory-2569.html
    
    
     FreeBSD:
    
      FreeBSD Vendor Advisory:
      http://www.linuxsecurity.com/advisories/freebsd_advisory-2566.html
    
     Mandrake:
    
      Mandrake Vendor Advisory:
      http://www.linuxsecurity.com/advisories/mandrake_advisory-2572.html
    
    
     Red Hat:
    
      Red Hat Vendor Advisory:
      http://www.linuxsecurity.com/advisories/redhat_advisory-2559.html
    
     SuSE:
    
      SuSE Vendor Advisory:
      http://www.linuxsecurity.com/advisories/suse_advisory-2568.html
    
     EnGarde:
    
      EnGarde Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2564.html
    
     Conectiva:
    
      Conectiva Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2570.html
    
    
    
    
    +---------------------------------+
    |  Package: kadmind               | ----------------------------//
    |  Date: 11-14-2002               |
    +---------------------------------+
    
    Description:
    A remote attacker may send a specially formatted request to k5admind
    or kadmind, triggering the stack buffer overflow and potentially
    causing the administrative server to execute arbitrary code as root
    on the KDC.  The attacker need not be authenticated in order to
    trigger the bug.  Compromise of the KDC has an especially large
    impact, as theft of the Kerberos database could allow an attacker to
    impersonate any Kerberos principal in the realm(s) present in the
    database.
    
    Vendor Alerts:
    
     FreeBSD:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      FreeBSD Vendor Advisory:
      http://www.linuxsecurity.com/advisories/freebsd_advisory-2560.html
    
    
    
    
    +---------------------------------+
    |  Package: smrsh                 | ----------------------------//
    |  Date: 11-11-2002               |
    +---------------------------------+
    
    Description:
    Users with a local account and the ability to create or modify their
    `.forward' files can circumvent the smrsh restrictions.  This is
    mostly of consequence to systems which have local users that are not
    normally allowed access to a login shell, as such users may abuse
    this bug in order to execute arbitrary commands with normal
    privileges.
    
    Vendor Alerts:
    
     FreeBSD:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      FreeBSD Vendor Advisory:
      http://www.linuxsecurity.com/advisories/freebsd_advisory-2561.html
    
    
    
    +---------------------------------+
    |  Package: resolver              | ----------------------------//
    |  Date: 11-12-2002               |
    +---------------------------------+
    
    Description:
    A malicious attacker could spoof DNS queries with specially crafted
    responses that will not fit in the supplied buffer.  This might cause
    some applications to fail (denial-of-service).
    
    Vendor Alerts:
    
     FreeBSD:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      FreeBSD Vendor Advisory:
      http://www.linuxsecurity.com/advisories/freebsd_advisory-2562.html
    
    
    
    
    +---------------------------------+
    |  Package: perl-MailTools        | ----------------------------//
    |  Date: 11-13-2002               |
    +---------------------------------+
    
    Description:
    A vulnerability was discovered in Mail::Mailer perl module by the
    SuSE security team during an audit.  The vulnerability allows remote
    attackers to execute arbitrary commands in certain circumstances due
    to the usage of mailx as the default mailer, a program that allows
    commands to be embedded in the mail body.
    
    Vendor Alerts:
    
     Mandrake:
      9.0/RPMS/perl-MailTools-1.47-1.1mdk.noarch.rpm
      4fbfa7cc821ce3e785fb2449eb58afb8
      http://www.mandrakesecure.net/en/ftp.php
    
      Mandrake Vendor Advisory:
      http://www.linuxsecurity.com/advisories/mandrake_advisory-2546.html
    
    
    
    
    +---------------------------------+
    |  Package: nss_ldap              | ----------------------------//
    |  Date: 11-07-2002               |
    +---------------------------------+
    
    Description:
    A buffer overflow vulnerability exists in nss_ldap versions prior to
    198.  When nss_ldap is configured without a value for the "host"
    keyword, it attempts to configure itself using SRV records stored in
    DNS.  nss_ldap does not check that the data returned by the DNS query
    will fit into an internal buffer, thus exposing it to an overflow.
    
    Vendor Alerts:
    
     Mandrake:
      9.0/RPMS/nss_ldap-202-1.1mdk.i586.rpm
      da577902f504bf8f345446635fcc3cf7
    
      9.0/RPMS/pam_ldap-156-1.1mdk.i586.rpm
      b70c25f7b8a3b5f86149dd199003a4ff
    
      http://www.mandrakesecure.net/en/ftp.php
    
    
      Mandrake Vendor Advisory:
      http://www.linuxsecurity.com/advisories/mandrake_advisory-2546.html
    
    
    
    
    
    +---------------------------------+
    |  Package: php                   | ----------------------------//
    |  Date: 11-11-2002               |
    +---------------------------------+
    
    Description:
    PHP versions up to and including 4.2.2 contain vulnerabilities in the
    mail() function allowing local script authors to bypass safe mode
    restrictions and possibly allowing remote attackers to insert
    arbitrary mail headers and content into the message.
    
    Vendor Alerts:
    
     Red Hat:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Red Hat Vendor Advisory:
      http://www.linuxsecurity.com/advisories/redhat_advisory-2550.html
    
     Conectiva:
    
      Conectiva Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2565.html
    
    
    
    +---------------------------------+
    |  Package: traceroute            | ----------------------------//
    |  Date: 11-12-2002               |
    +---------------------------------+
    
    Description:
    Traceroute-nanog requires root privilege to open a raw socket. It
    does not relinquish these privileges after doing so. This allows a
    malicious user to gain root access by exploiting a buffer overflow at
    a later point.
    
    Vendor Alerts:
    
     SuSE:
      ftp://ftp.suse.com/pub/suse/i386/update/
      8.0/n1/traceroute-6.1.1-0.i386.rpm
      afe01bf0b151eca2f42fa5737c99bdc7
    
      SuSE Vendor Advisory:
      http://www.linuxsecurity.com/advisories/suse_advisory-2554.html
    
    
    
    +---------------------------------+
    |  Package: kgpg                  | ----------------------------//
    |  Date: 11-10-2002               |
    +---------------------------------+
    
    Description:
    A bug in Kgpg's key generation affects all secret keys generated
    through Kgpg's wizard. (Bug does not affect keys created in
    console/expert mode). All keys created through the wizard have an
    empty passphrase, which means that if someone has access to your
    computer and can read your secret key, he/she can decrypt your files
    whitout the need of a passphrase.
    
    Vendor Alerts:
    
     Gentoo:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Gentoo Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2548.html
    
    
    
    
    +---------------------------------+
    |  Package: apache                | ----------------------------//
    |  Date: 11-11-2002               |
    +---------------------------------+
    
    Description:
    A vulnerability exists in the SSI error pages of Apache 2.0 that
    involves incorrect filtering of server signature data. The
    vulnerability could enable an attacker to hijack web sessions,
    allowing a range of potential compromises on the targeted host.
    
    Vendor Alerts:
    
     Gentoo:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Gentoo Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2552.html
    
    
    
    
    +---------------------------------+
    |  Package: kdelibs               | ----------------------------//
    |  Date: 11-11-2002               |
    +---------------------------------+
    
    Description:
    The vulnerability potentially enables local or remote attackers to
    compromise a victim's account and execute arbitrary commands on the
    local system with the victim's privileges, such as erasing files,
    accessing data or installing trojans.
    
    Vendor Alerts:
    
     Gentoo:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Gentoo Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2567.html
    
    
    
    
    +---------------------------------+
    |  Package: syslog-ng             | ----------------------------//
    |  Date: 11-14-2002               |
    +---------------------------------+
    
    Description:
    When dealing with this expansion, syslog-ng fails to account for
    characters which are not part of the macro, which leads to incorrect
    bounds checking and a possible buffer overflow if there are enough
    non-macro characters being used.
    
    Vendor Alerts:
    
     Conectiva:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Conectiva Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2571.html
    
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Nov 18 2002 - 08:19:37 PST