+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| November 22nd, 2002 Volume 3, Number 47a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for squid, wwoffled, lynx, tcpdump,
fetchmail, courier, KDE SSL, nullmailer, mhonarc, smrsh, bind, ypserv,
getbyname, ftpd, Red Hat kernel, samba, windowmaker, dhcp, php, and
gtetrinet. The distributors include Caldera, Debian, FreeBSD, Gentoo,
Mandrake, NetBSD, OpenPKG, Red Hat, SuSE, and Trustix.
Concerned about the next threat? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice
award thanks to the depth of its security strategy..." Find out what the
other Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
Security: MySQL and PHP (3 of 3) - This is the third installation of a 3
part article on LAMP (Linux Apache MySQL PHP). In order to safeguard a
MySQL server to the basic level, one has to abide by the following
guidelines.
http://www.linuxsecurity.com/feature_stories/feature_story-130.html
FEATURE: Security: Physical and Service (1 of 3) - The first installation
of a 3 part article covering everything from physical security and service
security to LAMP security (Linux Apache MySQL PHP).
http://www.linuxsecurity.com/feature_stories/feature_story-128.html
+---------------------------------+
| Package: squid | ----------------------------//
| Date: 11-14-2002 |
+---------------------------------+
Description:
Several bugfixes and cleanup of the Gopher client, both to correct some
security issues and to make Squid properly render certain Gopher menus.
Security fixes in how Squid parses FTP directory listings into HTML. FTP
data channels are now sanity checked to match the address of the requested
FTP server. This to prevent theft or injection of data.
Vendor Alerts:
Caldera:
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Server/CSSA-2002-046.0/RPMS
squid-2.5-20020429.i386.rpm
fdda342fe954cf6ea304046781a555c8
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2574.html
+---------------------------------+
| Package: KDE SSL | ----------------------------//
| Date: 11-15-2002 |
+---------------------------------+
Description:
Konqueror's cross site scripting (XSS) protection fails to initialize the
domains on sub-(i)frames correctly. As a result, Javascript can access any
foreign subframe which is defined in the HTML source. KDE's SSL
implementation fails to check the basic constraints on certificates and as
a result may accept certificates as valid that were signed by an issuer
who was not authorized to do so.
Vendor Alerts:
Caldera:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2579.html
+---------------------------------+
| Package: wwoffled | ----------------------------//
| Date: 11-18-2002 |
+---------------------------------+
Description:
wwwoffled allows remote attackers to cause a denial of service and
possibly execute arbitrary code via a negative Content-Length value.
Vendor Alerts:
Caldera:
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Workstation/CSSA-2002-048.0/RPMS
wwwoffle-2.6b-3MR.i386.rpm
d54de95d9db4d19501e6b50ef63f2e31
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2586.html
+---------------------------------+
| Package: lynx | ----------------------------//
| Date: 11-18-2002 |
+---------------------------------+
Description:
If lynx is given a url with some special characters on the command line,
it will include faked headers in the HTTP query. This feature can be used
to force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
Vendor Alerts:
Caldera:
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Server/CSSA-2002-049.0/RPMS
lynx-2.8.4-1.i386.rpm
86aa0c385c7b4789aa33fe57dc209490
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2587.html
+---------------------------------+
| Package: tcpdump | ----------------------------//
| Date: 11-19-2002 |
+---------------------------------+
Description:
There is a miscalculation in the use of the sizeof operator in
tcpdump, allowing, at the least, a denial-of-service attack.
Vendor Alerts:
Caldera:
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Server/CSSA-2002-050.0/RPMS
tcpdump-3.6.2-4.i386.rpm
88099679d803eb7f1583f99ccaa68fed
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2594.html
+---------------------------------+
| Package: fetchmail | ----------------------------//
| Date: 11-15-2002 |
+---------------------------------+
Description:
Several buffer overflows have been found in fetchmail. These bugs may be
remotely exploited if fetchmail is running in multidrop mode.
Vendor Alerts:
Caldera:
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
Server/CSSA-2002-051.0/RPMS
fetchmail-6.1.0-3.i386.rpm
434fea1951a0d2f3b84aacef99c64406
fetchmailconf-6.1.0-3.i386.rpm
f4a95f399c696a47d30cb42076a16537
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2599.html
+---------------------------------+
| Package: courier | ----------------------------//
| Date: 11-15-2002 |
+---------------------------------+
Description:
A problem in the Courier sqwebmail package, a CGI program to grant
authenticated access to local mailboxes, has been discovered. The program
did not drop permissions fast enough upon startup under certain
circumstances so a local shell user can execute the sqwebmail binary and
manage to read an arbitrary file on the local filesystem.
Vendor Alerts:
Debian:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2577.html
Gentoo:
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2588.html
+---------------------------------+
| Package: nullmailer | ----------------------------//
| Date: 11-15-2002 |
+---------------------------------+
Description:
A problem has been discovered in nullmailer, a simple relay-only mail
transport agent for hosts that relay mail to a fixed set of smart relays.
When a mail is to be delivered locally to a user that doesn't exist,
nullmailer tries to deliver it, discovers a user unknown error and stops
delivering. Unfortunately, it stops delivering entirely, not only this
mail. Hence, it's very easy to craft a denial of service.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/n/nullmailer/
nullmailer_1.00RC5-16.1woody2_ia64.deb
Size/MD5 checksum: 144246 c508c104d7b775e84641aabdc2adf209
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2584.html
+---------------------------------+
| Package: mhonarc | ----------------------------//
| Date: 11-19-2002 |
+---------------------------------+
Description:
Steven Christey discovered a cross site scripting vulnerability in
mhonarc, a mail to HTML converter. Carefully crafted message headers can
introduce cross site scripting when mhonarc is configured to display all
headers lines on the web. However, it is often useful to restrict the
displayed header lines to To, From and Subject, in which case the
vulnerability cannot be exploited.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/m/
mhonarc/mhonarc_2.4.4-1.2_all.deb
Size/MD5 checksum: 453352 8e7f1a40ff78e0bef2d1c9593545baee
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2589.html
+---------------------------------+
| Package: smrsh | ----------------------------//
| Date: 11-15-2002 |
+---------------------------------+
Description:
Users with a local account and the ability to create or modify their
`.forward' files can circumvent the smrsh restrictions. This is mostly of
consequence to systems which have local users that are not normally
allowed access to a login shell, as such users may abuse this bug in order
to execute arbitrary commands with normal privileges.
Vendor Alerts:
FreeBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2575.html
+---------------------------------+
| Package: bind | ----------------------------//
| Date: 11-15-2002 |
+---------------------------------+
Description:
BIND SIG Cached RR Overflow Vulnerability: A remote attacker may be able
to cause a name server with recursion enabled to execute arbitrary code
with the privileges of the name server process. BIND OPT DoS and BIND SIG
Expiry Time DoS: A remote attacker may be able to cause the name server
process to crash.
Vendor Alerts:
FreeBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2576.html
NetBSD:
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2591.html
OpenPKG:
OpenPKG Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2580.html
Trustix:
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2581.html
+---------------------------------+
| Package: ypserv | ----------------------------//
| Date: 11-18-2002 |
+---------------------------------+
Description:
A memory leak that could be triggered remotely was discovered in ypserv
2.5 and earlier. This could lead to a Denial of Service as repeated
requests for a non-existant map will result in ypserv consuming more and
more memory, and also running more slowly. If the system runs out of
available memory, ypserv would also be killed.
Vendor Alerts:
Mandrake:
http://www.mandrakesecure.net/en/ftp.php
9.0/RPMS/ypserv-2.5-1.1mdk.i586.rpm
d422a834b1869149b38bf1c8a1e8a4d6
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2590.html
+---------------------------------+
| Package: getbyname | ----------------------------//
| Date: 11-15-2002 |
+---------------------------------+
Description:
getnetbyname(3) and getnetbyaddr(3) lacked important boundary checks, and
are vulnerable to malicious DNS responses, which could cause a buffer
overrun on the stack. The vulnerability could cause a remote root
compromise, if a privileged process uses these library functions.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2592.html
+---------------------------------+
| Package: ftpd | ----------------------------//
| Date: 11-15-2002 |
+---------------------------------+
Description:
NetBSD's ftpd responds to the STAT command in a way that is not standards
conformant, when a filename that contains "\n[0-9]" is specified. This
could be used by a malicious party to corrupt state tables in firewall
devices between an FTP client and a NetBSD FTP server.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2593.html
+---------------------------------+
| Package: Red Hat kernel | ----------------------------//
| Date: 11-15-2002 |
+---------------------------------+
Description:
The kernel in Red Hat Linux 7.1, 7.1K, 7.2, 7.3, and 8.0 are vulnerable to
a local denial of service attack. Updated packages are available which
address this vulnerability, as well as bugs in several drivers.
Vendor Alerts:
Red Hat:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2578.html
Trustix:
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2582.html
+---------------------------------+
| Package: samba | ----------------------------//
| Date: 11-18-2002 |
+---------------------------------+
Description:
The error consists of a buffer overflow in a commonly used routine that
accepts user input and may write up to 127 bytes past the end of the
buffer allocated with static length, leaving enough room for an exploit.
The resulting vulnerability can be exploited locally in applications using
the sm_smbpass Pluggable Authentication Module (PAM). It may be possible
to exploit this vulnerability remotely, causing the running smbd to crash
or even to execute arbitrary code.
Vendor Alerts:
SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/
samba-2.2.5-124.i586.rpm
f0a94ef6cc49165d4dace59caaf359d7
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/
samba-client-2.2.5-124.i586.rpm
f694fb4aaabffa98b6a76941cb2c0eaf
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2598.html
Gentoo:
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2597.html
+---------------------------------+
| Package: windowmaker | ----------------------------//
| Date: 11-18-2002 |
+---------------------------------+
Description:
A possible scenario for this vulnerability could be that of an attacker
making a specially crafted image available and convincing an unsuspecting
user to set it as a background image.
Vendor Alerts:
Conectiva:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2583.html
+---------------------------------+
| Package: dhcp | ----------------------------//
| Date: 11-18-2002 |
+---------------------------------+
Description:
Simon Kelley pointed out a vulnerability in the way quotes inside these
assignments are treated. By exploiting this, a malicious DHCP server (or
attackers able to spoof DHCP responses) can execute arbitrary shell
commands on the DHCP client (which is run by root).
Vendor Alerts:
Conectiva:
ftp://atualizacoes.conectiva.com.br/8/RPMS/
dhcpcd-1.3.22pl3-1U80_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2585.html
+---------------------------------+
| Package: php | ----------------------------//
| Date: 11-20-2002 |
+---------------------------------+
Description:
Two vulnerabilities exists in mail() PHP function. The first one allows to
execute any program/script bypassing safe_mode restriction, the second one
may give an open-relay script if mail() function is not carefully used in
PHP scripts.
Vendor Alerts:
Gentoo:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2595.html
+---------------------------------+
| Package: gtetrinet | ----------------------------//
| Date: 11-20-2002 |
+---------------------------------+
Description:
Several buffer overflows was found in gtetrinet versions below 0.4.3.
According to the authors these could be remotley explotied.
Vendor Alerts:
Gentoo:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2595.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 04:10:17 PST