[ISN] Linux Advisory Watch - November 22nd 2002

From: InfoSec News (isnat_private)
Date: Mon Nov 25 2002 - 00:03:02 PST

  • Next message: InfoSec News: "RE: [ISN] U.S. Government Flunks Computer Security Tests"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  November 22nd, 2002                      Volume 3, Number 47a |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                Benjamin Thomas
                   daveat_private     benat_private
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilitiaes that have been announced throughout the week.
    It includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were released for squid, wwoffled, lynx, tcpdump,
    fetchmail, courier, KDE SSL, nullmailer, mhonarc, smrsh, bind, ypserv,
    getbyname, ftpd, Red Hat kernel, samba, windowmaker, dhcp, php, and
    gtetrinet.  The distributors include Caldera, Debian, FreeBSD, Gentoo,
    Mandrake, NetBSD, OpenPKG, Red Hat, SuSE, and Trustix.
    
     Concerned about the next threat? EnGarde is the undisputed winner!
     Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
     Editor's Choice Award, EnGarde "walked away with our Editor's Choice
     award thanks to the depth of its security strategy..." Find out what the
     other Linux vendors are not telling you.
    
     http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
    
    
    Security: MySQL and PHP (3 of 3) - This is the third installation of a 3
    part article on LAMP (Linux Apache MySQL PHP). In order to safeguard a
    MySQL server to the basic level, one has to abide by the following
    guidelines.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-130.html
    
    
    FEATURE:  Security: Physical and Service (1 of 3) - The first installation
    of a 3 part article covering everything from physical security and service
    security to LAMP security (Linux Apache MySQL PHP).
    
     http://www.linuxsecurity.com/feature_stories/feature_story-128.html
    
    
    
    +---------------------------------+
    |  Package: squid                 | ----------------------------//
    |  Date: 11-14-2002               |
    +---------------------------------+
    
    Description:
    Several bugfixes and cleanup of the Gopher client, both to correct some
    security issues and to make Squid properly render certain Gopher menus.
    Security fixes in how Squid parses FTP directory listings into HTML. FTP
    data channels are now sanity checked to match the address of the requested
    FTP server. This to prevent theft or injection of data.
    
    Vendor Alerts:
    
     Caldera:
      ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
      Server/CSSA-2002-046.0/RPMS
    
      squid-2.5-20020429.i386.rpm
      fdda342fe954cf6ea304046781a555c8
    
      Caldera Vendor Advisory:
      http://www.linuxsecurity.com/advisories/caldera_advisory-2574.html
    
    
    
    +---------------------------------+
    |  Package: KDE SSL               | ----------------------------//
    |  Date: 11-15-2002               |
    +---------------------------------+
    
    Description:
    Konqueror's cross site scripting (XSS) protection fails to initialize the
    domains on sub-(i)frames correctly. As a result, Javascript can access any
    foreign subframe which is defined in the HTML source. KDE's SSL
    implementation fails to check the basic constraints on certificates and as
    a result may accept certificates as valid that were signed by an issuer
    who was not authorized to do so.
    
    Vendor Alerts:
    
     Caldera:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Caldera Vendor Advisory:
      http://www.linuxsecurity.com/advisories/caldera_advisory-2579.html
    
    
    
    +---------------------------------+
    |  Package: wwoffled              | ----------------------------//
    |  Date: 11-18-2002               |
    +---------------------------------+
    
    Description:
    wwwoffled allows remote attackers to cause a denial of service and
    possibly execute arbitrary code via a negative Content-Length value.
    
    
    Vendor Alerts:
    
     Caldera:
      ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
      Workstation/CSSA-2002-048.0/RPMS
    
      wwwoffle-2.6b-3MR.i386.rpm
      d54de95d9db4d19501e6b50ef63f2e31
    
      Caldera Vendor Advisory:
      http://www.linuxsecurity.com/advisories/caldera_advisory-2586.html
    
    
    
    
    +---------------------------------+
    |  Package: lynx                  | ----------------------------//
    |  Date: 11-18-2002               |
    +---------------------------------+
    
    Description:
    If lynx is given a url with some special characters on the command line,
    it will include faked headers in the HTTP query. This feature can be used
    to force scripts (that use Lynx for downloading files) to access the wrong
    site on a web server with multiple virtual hosts.
    
    Vendor Alerts:
    
     Caldera:
      ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
      Server/CSSA-2002-049.0/RPMS
    
      lynx-2.8.4-1.i386.rpm
      86aa0c385c7b4789aa33fe57dc209490
    
      Caldera Vendor Advisory:
      http://www.linuxsecurity.com/advisories/caldera_advisory-2587.html
    
    
    
    
    +---------------------------------+
    |  Package: tcpdump               | ----------------------------//
    |  Date: 11-19-2002               |
    +---------------------------------+
    
    Description:
    There is a miscalculation in the use of the sizeof operator in
    tcpdump, allowing, at the least, a denial-of-service attack.
    
    Vendor Alerts:
    
     Caldera:
      ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
      Server/CSSA-2002-050.0/RPMS
    
      tcpdump-3.6.2-4.i386.rpm
      88099679d803eb7f1583f99ccaa68fed
    
      Caldera Vendor Advisory:
      http://www.linuxsecurity.com/advisories/caldera_advisory-2594.html
    
    
    
    
    +---------------------------------+
    |  Package: fetchmail             | ----------------------------//
    |  Date: 11-15-2002               |
    +---------------------------------+
    
    Description:
    Several buffer overflows have been found in fetchmail. These bugs may be
    remotely exploited if fetchmail is running in multidrop mode.
    
    Vendor Alerts:
    
     Caldera:
      ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
      Server/CSSA-2002-051.0/RPMS
    
      fetchmail-6.1.0-3.i386.rpm
      434fea1951a0d2f3b84aacef99c64406
    
      fetchmailconf-6.1.0-3.i386.rpm
      f4a95f399c696a47d30cb42076a16537
    
      Caldera Vendor Advisory:
      http://www.linuxsecurity.com/advisories/caldera_advisory-2599.html
    
    
    
    +---------------------------------+
    |  Package: courier               | ----------------------------//
    |  Date: 11-15-2002               |
    +---------------------------------+
    
    Description:
    A problem in the Courier sqwebmail package, a CGI program to grant
    authenticated access to local mailboxes, has been discovered.  The program
    did not drop permissions fast enough upon startup under certain
    circumstances so a local shell user can execute the sqwebmail binary and
    manage to read an arbitrary file on the local filesystem.
    
    
    Vendor Alerts:
    
     Debian:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Debian Vendor Advisory:
      http://www.linuxsecurity.com/advisories/debian_advisory-2577.html
    
     Gentoo:
      Gentoo Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2588.html
    
    
    
    
    +---------------------------------+
    |  Package: nullmailer            | ----------------------------//
    |  Date: 11-15-2002               |
    +---------------------------------+
    
    Description:
    A problem has been discovered in nullmailer, a simple relay-only mail
    transport agent for hosts that relay mail to a fixed set of smart relays.
    When a mail is to be delivered locally to a user that doesn't exist,
    nullmailer tries to deliver it, discovers a user unknown error and stops
    delivering.  Unfortunately, it stops delivering entirely, not only this
    mail.  Hence, it's very easy to craft a denial of service.
    
    Vendor Alerts:
    
     Debian:
      http://security.debian.org/pool/updates/main/n/nullmailer/
      nullmailer_1.00RC5-16.1woody2_ia64.deb
      Size/MD5 checksum:   144246 c508c104d7b775e84641aabdc2adf209
    
      Debian Vendor Advisory:
      http://www.linuxsecurity.com/advisories/debian_advisory-2584.html
    
    
    
    
    +---------------------------------+
    |  Package: mhonarc               | ----------------------------//
    |  Date: 11-19-2002               |
    +---------------------------------+
    
    Description:
    Steven Christey discovered a cross site scripting vulnerability in
    mhonarc, a mail to HTML converter.  Carefully crafted message headers can
    introduce cross site scripting when mhonarc is configured to display all
    headers lines on the web.  However, it is often useful to restrict the
    displayed header lines to To, From and Subject, in which case the
    vulnerability cannot be exploited.
    
    Vendor Alerts:
    
     Debian:
      http://security.debian.org/pool/updates/main/m/
      mhonarc/mhonarc_2.4.4-1.2_all.deb
      Size/MD5 checksum:   453352 8e7f1a40ff78e0bef2d1c9593545baee
    
      Debian Vendor Advisory:
      http://www.linuxsecurity.com/advisories/debian_advisory-2589.html
    
    
    
    +---------------------------------+
    |  Package: smrsh                 | ----------------------------//
    |  Date: 11-15-2002               |
    +---------------------------------+
    
    Description:
    Users with a local account and the ability to create or modify their
    `.forward' files can circumvent the smrsh restrictions.  This is mostly of
    consequence to systems which have local users that are not normally
    allowed access to a login shell, as such users may abuse this bug in order
    to execute arbitrary commands with normal privileges.
    
    Vendor Alerts:
    
      FreeBSD:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      FreeBSD Vendor Advisory:
      http://www.linuxsecurity.com/advisories/freebsd_advisory-2575.html
    
    
    
    
    +---------------------------------+
    |  Package: bind                  | ----------------------------//
    |  Date: 11-15-2002               |
    +---------------------------------+
    
    Description:
    BIND SIG Cached RR Overflow Vulnerability:  A remote attacker may be able
    to cause a name server with recursion enabled to execute arbitrary code
    with the privileges of the name server process. BIND OPT DoS and BIND SIG
    Expiry Time DoS: A remote attacker may be able to cause the name server
    process to crash.
    
    Vendor Alerts:
    
     FreeBSD:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      FreeBSD Vendor Advisory:
      http://www.linuxsecurity.com/advisories/freebsd_advisory-2576.html
    
    
    
     NetBSD:
      NetBSD Vendor Advisory:
      http://www.linuxsecurity.com/advisories/netbsd_advisory-2591.html
    
     OpenPKG:
      OpenPKG Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2580.html
    
     Trustix:
      Trustix Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2581.html
    
    
    
    
    +---------------------------------+
    |  Package: ypserv                | ----------------------------//
    |  Date: 11-18-2002               |
    +---------------------------------+
    
    Description:
    A memory leak that could be triggered remotely was discovered in ypserv
    2.5 and earlier.  This could lead to a Denial of Service as repeated
    requests for a non-existant map will result in ypserv consuming more and
    more memory, and also running more slowly.  If the system runs out of
    available memory, ypserv would also be killed.
    
    Vendor Alerts:
    
     Mandrake:
      http://www.mandrakesecure.net/en/ftp.php
      9.0/RPMS/ypserv-2.5-1.1mdk.i586.rpm
      d422a834b1869149b38bf1c8a1e8a4d6
    
      Mandrake Vendor Advisory:
      http://www.linuxsecurity.com/advisories/mandrake_advisory-2590.html
    
    
    
    +---------------------------------+
    |  Package: getbyname             | ----------------------------//
    |  Date: 11-15-2002               |
    +---------------------------------+
    
    Description:
    getnetbyname(3) and getnetbyaddr(3) lacked important boundary checks, and
    are vulnerable to malicious DNS responses, which could cause a buffer
    overrun on the stack.  The vulnerability could cause a remote root
    compromise, if a privileged process uses these library functions.
    
    Vendor Alerts:
    
     NetBSD:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      NetBSD Vendor Advisory:
      http://www.linuxsecurity.com/advisories/netbsd_advisory-2592.html
    
    
    
    
    +---------------------------------+
    |  Package: ftpd                  | ----------------------------//
    |  Date: 11-15-2002               |
    +---------------------------------+
    
    Description:
    NetBSD's ftpd responds to the STAT command in a way that is not standards
    conformant, when a filename that contains "\n[0-9]" is specified.  This
    could be used by a malicious party to corrupt state tables in firewall
    devices between an FTP client and a NetBSD FTP server.
    
    Vendor Alerts:
    
     NetBSD:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      NetBSD Vendor Advisory:
      http://www.linuxsecurity.com/advisories/netbsd_advisory-2593.html
    
    
    
    
    +---------------------------------+
    |  Package: Red Hat kernel        | ----------------------------//
    |  Date: 11-15-2002               |
    +---------------------------------+
    
    Description:
    The kernel in Red Hat Linux 7.1, 7.1K, 7.2, 7.3, and 8.0 are vulnerable to
    a local denial of service attack. Updated packages are available which
    address this vulnerability, as well as bugs in several drivers.
    
    Vendor Alerts:
    
     Red Hat:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      NetBSD Vendor Advisory:
      http://www.linuxsecurity.com/advisories/redhat_advisory-2578.html
    
     Trustix:
    
      Trustix Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2582.html
    
    
    
    
    +---------------------------------+
    |  Package: samba                 | ----------------------------//
    |  Date: 11-18-2002               |
    +---------------------------------+
    
    Description:
    The error consists of a buffer overflow in a commonly used routine that
    accepts user input and may write up to 127 bytes past the end of the
    buffer allocated with static length, leaving enough room for an exploit.
    The resulting vulnerability can be exploited locally in applications using
    the sm_smbpass Pluggable Authentication Module (PAM). It may be possible
    to exploit this vulnerability remotely, causing the running smbd to crash
    or even to execute arbitrary code.
    
    
    Vendor Alerts:
    
     SuSE:
      ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/
      samba-2.2.5-124.i586.rpm
      f0a94ef6cc49165d4dace59caaf359d7
    
      ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/
      samba-client-2.2.5-124.i586.rpm
      f694fb4aaabffa98b6a76941cb2c0eaf
    
      SuSE Vendor Advisory:
      http://www.linuxsecurity.com/advisories/suse_advisory-2598.html
    
    
     Gentoo:
      Gentoo Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2597.html
    
    
    
    
    +---------------------------------+
    |  Package: windowmaker           | ----------------------------//
    |  Date: 11-18-2002               |
    +---------------------------------+
    
    Description:
    A possible scenario for this vulnerability could be that of an attacker
    making a specially crafted image available and convincing an unsuspecting
    user to set it as a background image.
    
    Vendor Alerts:
    
     Conectiva:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Conectiva Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2583.html
    
    
    
    
    +---------------------------------+
    |  Package: dhcp                  | ----------------------------//
    |  Date: 11-18-2002               |
    +---------------------------------+
    
    Description:
    Simon Kelley pointed out a vulnerability in the way quotes inside these
    assignments are treated. By exploiting this, a malicious DHCP server (or
    attackers able to spoof DHCP responses) can execute arbitrary shell
    commands on the DHCP client (which is run by root).
    
    Vendor Alerts:
    
     Conectiva:
      ftp://atualizacoes.conectiva.com.br/8/RPMS/
      dhcpcd-1.3.22pl3-1U80_1cl.i386.rpm
    
      Conectiva Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2585.html
    
    
    
    
    +---------------------------------+
    |  Package: php                   | ----------------------------//
    |  Date: 11-20-2002               |
    +---------------------------------+
    
    Description:
    Two vulnerabilities exists in mail() PHP function. The first one allows to
    execute any program/script bypassing safe_mode restriction, the second one
    may give an open-relay script if mail() function is not carefully used in
    PHP scripts.
    
    Vendor Alerts:
    
     Gentoo:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Gentoo Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2595.html
    
    
    
    +---------------------------------+
    |  Package: gtetrinet             | ----------------------------//
    |  Date: 11-20-2002               |
    +---------------------------------+
    
    Description:
    Several buffer overflows was found in gtetrinet versions below 0.4.3.
    According to the authors these could be remotley explotied.
    
    Vendor Alerts:
    
     Gentoo:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Gentoo Vendor Advisory:
      http://www.linuxsecurity.com/advisories/other_advisory-2595.html
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 04:10:17 PST