+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| November 15th, 2002 Volume 3, Number 46a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for PXE, libpng, python, html2ps,
kdenetwork, masqmail, apache-perl, bind, kadmind, smrsh, resolver,
perl-MailTools, nss_ldap, php, traceroute, kpgp, apache, kdelibs, and
syslog-ng. The distributors include Caldera, Debian, Guardian Digital's
EnGarde Secure Linux, FreeBSD, Gentoo, Red Hat, and SuSE.
Concerned about the next threat? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
FEATURE: Security: Physical and Service (1 of 3) - The first installation
of a 3 part article covering everything from physical security and service
security to LAMP security (Linux Apache MySQL PHP).
http://www.linuxsecurity.com/feature_stories/feature_story-128.html
FEATURE: Security: Apache (2 of 3) - This is the second installation of a
3 part article on LAMP (Linux Apache MySQL PHP). Apache is the most widely
used HTTP-server in the world today.
http://www.linuxsecurity.com/feature_stories/feature_story-129.html
+---------------------------------+
| Package: PXE | ----------------------------//
| Date: 11-11-2002 |
+---------------------------------+
Description:
The PXE server can be crashed by using corrupt DHCP packets. This bug
could be used to cause a denial-of-service attack.
Vendor Alerts:
Caldera:
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Server/CSSA-2002-044.0/RPMS
pxe-0.1-33.i386.rpm
75380c0629500bcb6ac3185fd7f68cf9
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2551.html
+---------------------------------+
| Package: libpng | ----------------------------//
| Date: 11-12-2002 |
+---------------------------------+
Description:
There are two buffer overflow vulnerabilities in the libpng code:one
of which can allow attackers to cause a denial of service, and the
other that can cause a denial of service with the possibility of
executing arbitrary code.
Vendor Alerts:
Caldera:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2558.html
+---------------------------------+
| Package: python | ----------------------------//
| Date: 11-14-2002 |
+---------------------------------+
Description:
os._execvpe from os.py in Python creates temporary files with
predictable names, which could allow local users to execute arbitrary
code via a symlink attack.
Vendor Alerts:
Caldera:
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Server/CSSA-2002-045.0/RPMS
python-1.5.2-23.i386.rpm
d02a87d515a2e0295b61a70e21d85d67
python-devel-1.5.2-23.i386.rpm
f026986740ce3b24aa75a6ef6d6f813d
python-docs-1.5.2-23.i386.rpm
a4d8a3a8a6011f4d87d1a3c3e75150d1
python-tools-1.5.2-23.i386.rpm
6283c3abfb5a339d6f3c8e1b2b0304fc
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2573.html
+---------------------------------+
| Package: html2ps | ----------------------------//
| Date: 11-08-2002 |
+---------------------------------+
Description:
The SuSE Security Team found a vulnerability in html2ps, a HTML to
PostScript converter, that opened files based on unsanitized input
insecurely. This problem can be exploited when html2ps is installed
as filter within lrpng and the attacker has previously gained access
to the lp account.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/h/html2ps/
html2ps_1.0b1-8.1_all.deb
Size/MD5 checksum: 134728 5932b4a4d5942c839b1a65817becf641
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2545.html
+---------------------------------+
| Package: kdenetwork | ----------------------------//
| Date: 11-11-2002 |
+---------------------------------+
Description:
It is possible for a local attacker to exploit a buffer overflow
condition in resLISa, a restricted version of KLISa. The
vulnerability exists in the parsing of the LOGNAME environment
variable, an overly long value will overwrite the instruction pointer
thereby allowing an attacker to seize control of the executable.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/k/
kdenetwork/klisa_2.2.2-14.2_i386.deb
Size/MD5 checksum: 150248 447ca978df2eabe8971f0106d75dd5df
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2549.html
SuSE:
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2553.html
+---------------------------------+
| Package: masqmail | ----------------------------//
| Date: 11-12-2002 |
+---------------------------------+
Description:
A set of buffer overflows have been discovered in masqmail, a mail
transport agent for hosts without permanent internet connection. In
addition to this privileges were dropped only after reading a user
supplied configuration file. Together this could be exploited to
gain unauthorized root access to the machine on which masqmail is
installed.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/m/
masqmail/masqmail_0.1.16-2.1_i386.deb
Size/MD5 checksum: 88358 586f60f60d81dc17379df547f5796f8a
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2555.html
+---------------------------------+
| Package: apache-perl | ----------------------------//
| Date: 11-13-2002 |
+---------------------------------+
Description:
These vulnerabilities could allow an attacker to enact a denial of
service against a server or execute a cross site scripting attack, or
steal cookies from other web site users.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/a/apache-perl/
apache-perl_1.3.9-14.1-1.21.20000309-1.1_i386.deb
Size/MD5 checksum: 956320 da48dac81fbc5f66e7f9f350c2eb90bb
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2563.html
+---------------------------------+
| Package: bind | ----------------------------//
| Date: 11-14-2002 |
+---------------------------------+
Description:
A buffer overflow in BIND 8 versions 8.3.3 and earlier allows a
remote attacker to execute arbitrary code via a certain DNS server
response containing SIG resource records (RR). This buffer overflow
can be exploited to obtain access to the victim host under the
account the named process is running with, usually root.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/b/bind/
dnsutils_8.2.3-0.potato.3_i386.deb
Size/MD5 checksum: 340444 31b08eaeb38c0df2ed1cb6cb6fa3f5de
http://security.debian.org/pool/updates/main/b/bind/
bind_8.2.3-0.potato.3_i386.deb
Size/MD5 checksum: 572016 540d025d851c207596f02f293d32dbca
http://security.debian.org/pool/updates/main/b/bind/
bind-dev_8.2.3-0.potato.3_i386.deb
Size/MD5 checksum: 309622 476724d25b348bdfa3f314bf8777e05a
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2569.html
FreeBSD:
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2566.html
Mandrake:
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2572.html
Red Hat:
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2559.html
SuSE:
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2568.html
EnGarde:
EnGarde Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2564.html
Conectiva:
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2570.html
+---------------------------------+
| Package: kadmind | ----------------------------//
| Date: 11-14-2002 |
+---------------------------------+
Description:
A remote attacker may send a specially formatted request to k5admind
or kadmind, triggering the stack buffer overflow and potentially
causing the administrative server to execute arbitrary code as root
on the KDC. The attacker need not be authenticated in order to
trigger the bug. Compromise of the KDC has an especially large
impact, as theft of the Kerberos database could allow an attacker to
impersonate any Kerberos principal in the realm(s) present in the
database.
Vendor Alerts:
FreeBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2560.html
+---------------------------------+
| Package: smrsh | ----------------------------//
| Date: 11-11-2002 |
+---------------------------------+
Description:
Users with a local account and the ability to create or modify their
`.forward' files can circumvent the smrsh restrictions. This is
mostly of consequence to systems which have local users that are not
normally allowed access to a login shell, as such users may abuse
this bug in order to execute arbitrary commands with normal
privileges.
Vendor Alerts:
FreeBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2561.html
+---------------------------------+
| Package: resolver | ----------------------------//
| Date: 11-12-2002 |
+---------------------------------+
Description:
A malicious attacker could spoof DNS queries with specially crafted
responses that will not fit in the supplied buffer. This might cause
some applications to fail (denial-of-service).
Vendor Alerts:
FreeBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2562.html
+---------------------------------+
| Package: perl-MailTools | ----------------------------//
| Date: 11-13-2002 |
+---------------------------------+
Description:
A vulnerability was discovered in Mail::Mailer perl module by the
SuSE security team during an audit. The vulnerability allows remote
attackers to execute arbitrary commands in certain circumstances due
to the usage of mailx as the default mailer, a program that allows
commands to be embedded in the mail body.
Vendor Alerts:
Mandrake:
9.0/RPMS/perl-MailTools-1.47-1.1mdk.noarch.rpm
4fbfa7cc821ce3e785fb2449eb58afb8
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2546.html
+---------------------------------+
| Package: nss_ldap | ----------------------------//
| Date: 11-07-2002 |
+---------------------------------+
Description:
A buffer overflow vulnerability exists in nss_ldap versions prior to
198. When nss_ldap is configured without a value for the "host"
keyword, it attempts to configure itself using SRV records stored in
DNS. nss_ldap does not check that the data returned by the DNS query
will fit into an internal buffer, thus exposing it to an overflow.
Vendor Alerts:
Mandrake:
9.0/RPMS/nss_ldap-202-1.1mdk.i586.rpm
da577902f504bf8f345446635fcc3cf7
9.0/RPMS/pam_ldap-156-1.1mdk.i586.rpm
b70c25f7b8a3b5f86149dd199003a4ff
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2546.html
+---------------------------------+
| Package: php | ----------------------------//
| Date: 11-11-2002 |
+---------------------------------+
Description:
PHP versions up to and including 4.2.2 contain vulnerabilities in the
mail() function allowing local script authors to bypass safe mode
restrictions and possibly allowing remote attackers to insert
arbitrary mail headers and content into the message.
Vendor Alerts:
Red Hat:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2550.html
Conectiva:
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2565.html
+---------------------------------+
| Package: traceroute | ----------------------------//
| Date: 11-12-2002 |
+---------------------------------+
Description:
Traceroute-nanog requires root privilege to open a raw socket. It
does not relinquish these privileges after doing so. This allows a
malicious user to gain root access by exploiting a buffer overflow at
a later point.
Vendor Alerts:
SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/
8.0/n1/traceroute-6.1.1-0.i386.rpm
afe01bf0b151eca2f42fa5737c99bdc7
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2554.html
+---------------------------------+
| Package: kgpg | ----------------------------//
| Date: 11-10-2002 |
+---------------------------------+
Description:
A bug in Kgpg's key generation affects all secret keys generated
through Kgpg's wizard. (Bug does not affect keys created in
console/expert mode). All keys created through the wizard have an
empty passphrase, which means that if someone has access to your
computer and can read your secret key, he/she can decrypt your files
whitout the need of a passphrase.
Vendor Alerts:
Gentoo:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2548.html
+---------------------------------+
| Package: apache | ----------------------------//
| Date: 11-11-2002 |
+---------------------------------+
Description:
A vulnerability exists in the SSI error pages of Apache 2.0 that
involves incorrect filtering of server signature data. The
vulnerability could enable an attacker to hijack web sessions,
allowing a range of potential compromises on the targeted host.
Vendor Alerts:
Gentoo:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2552.html
+---------------------------------+
| Package: kdelibs | ----------------------------//
| Date: 11-11-2002 |
+---------------------------------+
Description:
The vulnerability potentially enables local or remote attackers to
compromise a victim's account and execute arbitrary commands on the
local system with the victim's privileges, such as erasing files,
accessing data or installing trojans.
Vendor Alerts:
Gentoo:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2567.html
+---------------------------------+
| Package: syslog-ng | ----------------------------//
| Date: 11-14-2002 |
+---------------------------------+
Description:
When dealing with this expansion, syslog-ng fails to account for
characters which are not part of the macro, which leads to incorrect
bounds checking and a possible buffer overflow if there are enough
non-macro characters being used.
Vendor Alerts:
Conectiva:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2571.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Nov 18 2002 - 08:19:37 PST