[ISN] Linux Advisory Watch - March 14th 2003

From: InfoSec News (isnat_private)
Date: Fri Mar 14 2003 - 23:25:01 PST

  • Next message: InfoSec News: "[ISN] Irish Honeynet slammed by attacks"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  March 14th, 2002                         Volume 4, Number 11a |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                Benjamin Thomas
                   daveat_private     benat_private
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilitiaes that have been announced throughout the week.
    It includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week advisories were released for zlib, sendmail, qpopper, file,
    snort, mysqlcc, netscape-flash, ethereal, usermode, tcpdump, and lprold.
    The distributors include Caldera, Debian, Guardian Digital's EnGarde
    Secure Linux, Gentoo, Mandrake, NetBSD, Red Hat, and SuSE.
    
    
    * Comprehensive SPAM Protection! - Guardian Digial's Secure Mail Suite is
    unparalleled in security, ease of management, and features. Open source
    technology constantly adapts to new threats. Email firewall, simplified
    administration, automatically updated.
    
     --> http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=mail2
    
    -----------------------
    LINUX SECURITY ARTICLES:
    ------------------------
    
    Get out of a BIND - install DJBDNS - DJBDNS eases DNS management and
    improves security over BIND alternatives by taking a different approach to
    serving and caching DNS answers.
    
    http://www.linuxsecurity.com/articles/documentation_article-6857.html
    
    
    Remote Syslog with MySQL and PHP
    Msyslog has the ability to log syslog messages to a database. This allows
    for easier monitoring of multiple servers and the ability to be display
    and search for syslog messages using PHP or any other programming language
    that can communicate with the database.by that, too.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-138.html
    
    
    +---------------------------------+
    |  Package:  zlib                 | ----------------------------//
    |  Date: 03-10-2003               |
    +---------------------------------+
    
    Description:
    There is a buffer overflow in the gzprintf function in zlib that can
    enable attackers to cause a denial of service or possibly execute
    arbitrary code.
    
    Vendor Alerts:
    
     Caldera:
     ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
     Server/CSSA-2003-011.0/RPMS
     libz-1.1.4-2.i386.rpm
     54e3d653907b2aa8111939d208b1f48b
    
     Caldera Vendor Advisory:
     http://www.linuxsecurity.com/advisories/caldera_advisory-2952.html
    
    
    
    
    +---------------------------------+
    |  Package:  sendmail             | ----------------------------//
    |  Date: 03-10-2003               |
    +---------------------------------+
    
    Description:
    From CA-2003-07: Researchers at Internet Security Systems  (ISS) have
    discovered a remotely exploitable vulnerability in sendmail. This
    vulnerability could allow an intruder to gain control of a vulnerable
    sendmail server.
    
    Vendor Alerts:
    
     Caldera:
     ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/
     Server/CSSA-2003-011.0/RPMS
     sendmail-8.11.6-13.i386.rpm
     3750ebb1d4260068deab033eabfa605c
    
    
     Caldera Vendor Advisory:
     http://www.linuxsecurity.com/advisories/caldera_advisory-2953.html
    
    
    
    +---------------------------------+
    |  Package:  qpopper              | ----------------------------//
    |  Date: 03-13-2003               |
    +---------------------------------+
    
    Description:
    The sample exploit requires a valid user account and password, and
    overflows a string in the pop_msg() function to give the user "mail"
    group privileges and a shell on the system. Since the Qvsnprintf
    function is used elsewhere in
    qpopper, additional exploits may be possible.
    
    Vendor Alerts:
    
     Debian:
     http://security.debian.org/pool/updates/main/q/
     qpopper/qpopper_4.0.4-2.woody.3_i386.deb
     Size/MD5 checksum:   423226 6a00f3aacf1a94586fc83e92894e0f3a
    
     http://security.debian.org/pool/updates/main/q/
     qpopper/qpopper-drac_4.0.4-2.woody.3_i386.deb
     Size/MD5 checksum:   424134 b80a81713471f455c6753e8282f1171d
    
     Debian Vendor Advisory:
     http://www.linuxsecurity.com/advisories/debian_advisory-2956.html
    
    
    
    +---------------------------------+
    |  Package:  file                 | ----------------------------//
    |  Date: 03-13-2003               |
    +---------------------------------+
    
    Description:
    iDEFENSE discovered a buffer overflow vulnerability in the ELF format
    parsing of the "file" command, one which can be used to execute
    arbitrary code with the privileges of the user running the command.
    The vulnerability can be exploited by crafting a special ELF binary
    which is then input to file. This could be accomplished by leaving
    the binary on the file system and waiting for someone to use file to
    identify it, or by passing it to a service that uses file to classify
    input.
    
    Vendor Alerts:
    
     Debian:
     http://security.debian.org/pool/updates/
     main/f/file/file_3.28-1.potato.1_i386.deb
     Size/MD5 checksum:    88164 9a1945e7449e5bc243fd22af2cfb15a2
    
     Debian Vendor Advisory:
     http://www.linuxsecurity.com/advisories/debian_advisory-2957.html
    
    
     EnGarde:
     EnGarde Vendor Advisory:
     http://www.linuxsecurity.com/advisories/engarde_advisory-2945.html
    
     Gentoo:
     Gentoo Vendor Advisory:
     http://www.linuxsecurity.com/advisories/gentoo_advisory-2947.html
    
     Mandrake:
     Mandrake Vendor Advisory:
     http://www.linuxsecurity.com/advisories/mandrake_advisory-2951.html
    
     NetBSD:
     NetBSD Vendor Advisory:
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2954.html
    
     Red Hat:
     Red Hat Vendor Advisory:
     http://www.linuxsecurity.com/advisories/redhat_advisory-2943.html
    
    
    
    +---------------------------------+
    |  Package:  snort                | ----------------------------//
    |  Date: 03-07-2003               |
    +---------------------------------+
    
    Description:
    Recently ISS X-Force discovered a buffer overflow vulnerability in
    the RPC preprocessor of the snort IDS system.  A remote attacker
    could send fragmented RPC records and cause snort to execute
    arbitrary code as the snort user.
    
    Vendor Alerts:
    
      EnGarde:
      ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
      i386/snort-1.9.1-1.0.9.i386.rpm
      MD5 Sum: 5aa3f13b4f79cb27021517056a6c2f7c
    
      i686/snort-1.9.1-1.0.9.i686.rpm
      MD5 Sum: f379ae963718c32e46aacbf65941c404
    
      EnGarde Vendor Advisory:
      http://www.linuxsecurity.com/advisories/engarde_advisory-2944.html
    
    
    
      Gentoo:
      Gentoo Vendor Advisory:
      http://www.linuxsecurity.com/advisories/gentoo_advisory-2941.html
    
      Mandrake:
      Mandrake Vendor Advisory:
      http://www.linuxsecurity.com/advisories/mandrake_advisory-2950.html
    
    
    
    Package: mysqlcc
    Date: 03-07-2003
    
    Description:
    Versions prior to 0.8.9 had all configuration and connection files
    world readable.
    
    Vendor Alerts:
    
      Gentoo:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Gentoo Vendor Advisory:
      http://www.linuxsecurity.com/advisories/gentoo_advisory-2942.html
    
    
    Package: netscape-flash
    Date: 03-09-2003
    
    Description:
    The cumulative security patch is available today and addresses the
    potential for exploits surrounding buffer overflows (read/write) and
    sandbox integrity within the player, which might allow malicious
    users to gain access to a user's computer.
    
    Vendor Alerts:
    
     Gentoo:
     PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
     Gentoo Vendor Advisory:
     http://www.linuxsecurity.com/advisories/gentoo_advisory-2948.html
    
    
    
    +---------------------------------+
    |  Package:  ethereal             | ----------------------------//
    |  Date: 03-09-2003               |
    +---------------------------------+
    
    Description:
    The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format
    string overflow. This vulnerability has been present in Ethereal
    since the SOCKS dissector was introduced in version 0.8.7. It was
    discovered by Georgi Guninski. Additionally, the NTLMSSP code is
    susceptible to a heap overflow. All users of Ethereal 0.9.9 and below
    are encouraged to upgrade.
    
    Vendor Alerts:
    
      Gentoo:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      Gentoo Vendor Advisory:
      http://www.linuxsecurity.com/advisories/gentoo_advisory-2949.html
    
    
    
    +---------------------------------+
    |  Package:  usermode             | ----------------------------//
    |  Date: 03-12-2003               |
    +---------------------------------+
    
    Description:
    The /usr/bin/shutdown command that comes with the usermode package
    can be executed by local users to shutdown all running processes and
    drop into a root shell.  This command is not really needed to
    shutdown a system, so it has been removed and all users are
    encouraged to upgrade. Please note that the user must have local
    console access in order to obtain a root shell in this fashion.
    
    Vendor Alerts:
    
      Mandrake:
      9.0/RPMS/usermode-1.55-8.1mdk.i586.rpm
      6b3efb01bca77c598bfed862df7a10fe
    
      9.0/RPMS/usermode-consoleonly-1.55-8.1mdk.i586.rpm
      eda24e3cdb96a6171e5b6ed7e6b1da2b
    
      http://www.mandrakesecure.net/en/ftp.php
    
    
      Mandrake Vendor Advisory:
      http://www.linuxsecurity.com/advisories/mandrake_advisory-2955.html
    
    
    
    +---------------------------------+
    |  Package:  tcpdump              | ----------------------------//
    |  Date: 03-12-2003               |
    +---------------------------------+
    
    Description:
    The network traffic analyzer tool tcpdump is vulnerable to a
    denial-of-service condition while parsing ISAKMP or BGP packets. This
    bug can be exploited remotely by an attacker to stop the use of
    tcpdump for analyzing network traffic for signs of security breaches
    or alike.   Another bug may lead to system compromise due to the
    handling of malformed NFS packets send by an attacker.
    
    Vendor Alerts:
    
      SuSE:
      ftp://ftp.suse.com/pub/suse/i386/update/8.1/
      rpm/i586/tcpdump-3.7.1-198.i586.rpm
      524015d3f9517311ee46eb63bc3ed42f
    
      ftp://ftp.suse.com/pub/suse/i386/update/8.1/
      rpm/i586/tcpdump-3.7.1-198.i586.patch.rpm
      2e1d2db971cf2693e5acca0da7e3bb39
    
    
      SuSE Vendor Advisory:
      http://www.linuxsecurity.com/advisories/suse_advisory-2959.html
    
    
    
    +---------------------------------+
    |  Package: lprold                | ----------------------------//
    |  Date: 03-12-2003               |
    +---------------------------------+
    
    Description:
    The lprm command of the printing package lprold shipped till SuSE 7.3
    contains a buffer overflow. This buffer overflow can be exploited by
    a local user, if the printer system is set up correctly, to gain root
    privileges. lprold is installed as default package and has the setuid
    bit set.
    
    Vendor Alerts:
    
      SuSE:
      PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
      SuSE Vendor Advisory:
      http://www.linuxsecurity.com/advisories/suse_advisory-2958.html
    
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Sat Mar 15 2003 - 01:14:21 PST