[ISN] Linux Advisory Watch - December 5th 2003

From: InfoSec News (isn@private)
Date: Mon Dec 08 2003 - 02:26:14 PST

  • Next message: InfoSec News: "[ISN] RSA-576 Factored"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  December 5th, 2003                       Volume 4, Number 48a |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                Benjamin Thomas
                   dave@private     ben@private
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the week.
    It includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, there are multiple serious vulnerabilities that need to be
    addressed.  Advisories were released for bind, rsync, the Linux kernel,
    xboard, and gnupg.  The distributions include Caldera, Conectiva, Debian,
    Guardian Digital's EnGarde Secure Linux, Fedora, FreeBSD, Gentoo,
    Mandrake, Red Hat, Slackware, SuSE, Trustix, Turbolinux, and Yellow Dog
    Linux.
    
    ---
    
    >> Get Thawtes NEW Step-by-Step SSL Guide for Apache <<
    
    In this guide you will find out how to test, purchase, install and use a
    Thawte Digital Certificate on you Apache web server. Throughout, best
    practices for set-up are highlighted to help you ensure efficient ongoing
    management of your encryption keys and digital certificates.
    
    Get your copy of this new guide now:
    http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte29
    
    ---
    
    When will it end?  Last week, the biggest news was the Debian server
    compromise.  After some analysis, it was found that the vulnerability used
    to compromise those systems also affects nearly all other Linux
    distributions.  After you got your systems patched and thought it was safe
    to let your guard down, a serious remote rsync vulnerability was made
    public. What will it be next week, or next month?  No one can predict when
    bugs or exploits will surface, but the there is one constant in all of
    this.  Vulnerabilities will continue to be uncovered.
    
    Although it is now cliche that 'security is a process, not a product,' the
    events in the last few week further emphasize this point.  By now, it
    should be apparent that many of the systems that we are using will never
    be bug free.  Expect them, and expect them often!  The most important
    advice that anyone can give is, be prepared.  What is preparation?
    Security must be a normal business process.  For example, servers should
    be patched at a consistent interval, a testing environment should be used
    to ensure that patches do not negatively affect production servers, and
    someone in the organization should have the responsibility of monitoring
    news sources looking for particular harmful vulnerabilities. For example,
    if your organization chooses to patch the servers every Tuesday and
    Friday, but last Monday you were notified that updates were available for
    the Kernel, a special consideration should have then been made.
    
    Similarly, there should be processes in the organization for the review of
    security policies, firewall rules, access control lists, etc.  All
    protection mechanisms should be reviewed by more than one person on a
    consistent basis.  The sooner that we can get out of the 'firefighter'
    mentality and approach security as a pure business process, the sooner we
    will achieve an appropriate level of protection. This week, take time to
    review the security processes in your organization.  Is there a reason for
    every action taken? When will your servers be updated again?  When was the
    last time we reviewed the accounts on the system?
    
    Until next time, cheers!
    Benjamin D. Thomas
    ben@private
    
    ---
    
    Guardian Digital Launches First Secure Small Business Internet
    Productivity Solution
    
    Building a complete Internet security and productivity system for your
    organization just got a whole lot simpler and more secure with Guardian
    Digital Internet Productivity Suite. Web-based management, spam and virus
    control, groupware, VPN services, and more!
    
    Find out more now:
    http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=ips01
    
    --------------------------------------------------------------------
    
    CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
    
    Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
    Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
    thanks to the depth of its security strategy..." Find out what the other
    Linux vendors are not telling you.
    
    http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
    
    --------------------------------------------------------------------
    
    OpenVPN: An Introduction and Interview with Founder, James Yonan In this
    article, Duane Dunston gives a brief introduction to OpenVPN and
    interviews its founder James Yonan.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-152.html
    
    
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    
    
    +---------------------------------+
    |  Distribution: Caldera          | ----------------------------//
    +---------------------------------+
    
    
     12/1/2003 - Bind
       cache poisoning vulnerability
    
       BIND is an implementation of the Domain Name System (DNS) protocols.
       Successful exploitation of this vulnerability may result in a temporary
       denial of service.
       http://www.linuxsecurity.com/advisories/caldera_advisory-3826.html
    
    
    +---------------------------------+
    |  Distribution: Conectiva        | ----------------------------//
    +---------------------------------+
    
     12/4/2003 - rsync
       heap buffer overflow
    
       rsync versions prior to 2.5.7 have a heap buffer overflow
       vulnerability[2] which can be exploited by remote attackers to execute
       arbitrary code.
       http://www.linuxsecurity.com/advisories/conectiva_advisory-3843.html
    
    
    +---------------------------------+
    |  Distribution: Debian           | ----------------------------//
    +---------------------------------+
    
     12/1/2003 - Kernel
       vulnerability in brk()
    
       Recently multiple servers of the Debian project were compromised using
       a Debian developers account and an unknown root exploit. Forensics
       revealed a burneye encrypted exploit. Robert van der Meulen managed to
       decrypt the binary which revealed a kernel exploit.  Using this bug it
       is possible for a userland program to trick the kernel into giving
       access to the full kernel address space.
       http://www.linuxsecurity.com/advisories/debian_advisory-3824.html
    
     12/4/2003 - Rsync
       heap overflow vulnerability
    
       While this heap overflow vulnerability could not be used by itself to
       obtain root access on an rsync server, it could be used in combination
       with the recently announced do_brk() vulnerability in the Linux kernel
       to produce a full remote compromise.
       http://www.linuxsecurity.com/advisories/debian_advisory-3839.html
    
    
    +---------------------------------+
    |  Distribution: EnGarde          | ----------------------------//
    +---------------------------------+
    
     12/4/2003 - 'rsync' heap overflow vulnerability
       heap overflow vulnerability
    
       A heap overflow vulnerability has been discovered in all versions of
       rsync prior to 2.5.7.  This vulnerability, exploitable when rsync is
       being run in "server mode", may allow the attacker to run arbitrary
       code on the compromised server.
       http://www.linuxsecurity.com/advisories/engarde_advisory-3840.html
    
    
    +---------------------------------+
    |  Distribution: Fedora           | ----------------------------//
    +---------------------------------+
    
     12/3/2003 - Kernel
       crash vulnerability
    
       The kernel shipped with Fedora Core 1 was vulnerable to a bug in the
       error return on a concurrent fork() with threaded exit() which could be
       exploited by a user level program to crash the kernel.
       http://www.linuxsecurity.com/advisories/fedora_advisory-3831.html
    
     12/4/2003 - rsync
       heap overflow vulnerability
    
       A heap overflow bug exists in rsync versions prior to 2.5.7.  On
       machines where the rsync server has been enabled, a remote attacker
       could use this flaw to execute arbitrary code as an unprivileged user.
       http://www.linuxsecurity.com/advisories/fedora_advisory-3844.html
    
     12/4/2003 - Xboard
       predictable file-write exploit
    
       XBoard 4.2.6 and older contains a script which writes to a file in /tmp
       with a predictable filename. Malicious users could use this
       vulnerability to force XBoard users to overwrite any file writable by
       them. http://www.linuxsecurity.com/advisories/fedora_advisory-3846.html
    
    
    +---------------------------------+
    |  Distribution: FreeBSD          | ----------------------------//
    +---------------------------------+
    
     11/29/2003 - Bind
       Negative-cache DOS vulnerability
    
       An attacker may arrange for malicious DNS messages to be delivered to a
       target name server, and cause that name server to cache a negative
       response for some target domain name.  The name server would thereafter
       respond negatively to legitimate queries for that domain name,
       resulting in a denial-of-service for applications that require DNS.
       http://www.linuxsecurity.com/advisories/freebsd_advisory-3820.html
    
    
    +---------------------------------+
    |  Distribution: Gentoo           | ----------------------------//
    +---------------------------------+
    
     12/4/2003 -  Rsync heap overflow vulnerability
       Negative-cache DOS vulnerability
    
       Rsync version 2.5.6 contains a vulnerability that can be used to run
       arbitrary code. The Gentoo infrastructure team has some reasonably good
       forensic evidence that this exploit may have been used in combination
       with the Linux kernel brk vulnerability (see GLSA 200312-02) to exploit
       a rsync.gentoo.org rotation server (see GLSA-200312-01.)
       http://www.linuxsecurity.com/advisories/gentoo_advisory-3841.html
    
     12/4/2003 - Kernel
       buffer overflow vulnerability leading to root
    
       Lack of proper bounds checking exists in the do_brk() kernel function
       in Linux kernels prior to 2.4.23. This bug can be used to give a
       userland program or malicious service access to the full kernel address
       space and gain root privileges. This issue is known to be exploitable.
       http://www.linuxsecurity.com/advisories/gentoo_advisory-3842.html
    
    
    +---------------------------------+
    |  Distribution: Mandrake         | ----------------------------//
    +---------------------------------+
    
     11/29/2003 - GnuPG
       Serious key vulnerability
    
       Phong Nguyen identified a severe bug in the way GnuPG creates and uses
       ElGamal keys for signing.  This is a significant security failure which
       can lead to a compromise of almost all ElGamal keys used for signing.
       Note that this is a real world vulnerability which will reveal your
       private key within a few seconds.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-3821.html
    
     12/1/2003 - Kernel
       buffer overflow leading to root
    
       A vulnerability was discovered in the Linux kernel versions 2.4.22 and
       previous.  A flaw in bounds checking in the do_brk() function can allow
       a local attacker to gain root privileges.  This vulnerability is known
       to be exploitable; an exploit is in the wild at this time.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-3825.html
    
    
    +---------------------------------+
    |  Distribution: Red Hat          | ----------------------------//
    +---------------------------------+
    
     12/1/2003 - kernel
       Privilege escalation vulnerability
    
       Updated kernel packages are now available that fix a security
       vulnerability leading to a possible privilege escalation.
       http://www.linuxsecurity.com/advisories/redhat_advisory-3827.html
    
     12/2/2003 - Net-SNMP Unauthorized access vulnerability
       Privilege escalation vulnerability
    
       Updated Net-SNMP packages are available to correct a security
       vulnerability and other bugs.
       http://www.linuxsecurity.com/advisories/redhat_advisory-3828.html
    
     12/4/2003 - rsync
       heap overflow
    
       A heap overflow bug exists in rsync versions prior to 2.5.7.  On
       machines where the rsync server has been enabled, a remote attacker
       could use this flaw to execute arbitrary code as an unprivileged user.
       http://www.linuxsecurity.com/advisories/redhat_advisory-3845.html
    
    
    +---------------------------------+
    |  Distribution: Slackware        | ----------------------------//
    +---------------------------------+
    
     12/3/2003 - Kernal
       buffer overflow leading to root
    
       New kernels are available for Slackware 9.1 and -current.  These have
       been upgraded to Linux kernel version 2.4.23, which fixes a bug in the
       kernel's do_brk() function that could be exploited to gain root
       privileges.
       http://www.linuxsecurity.com/advisories/slackware_advisory-3830.html
    
     12/4/2003 - Rsync
       heap overflow vulnerability
    
       A security problem which may lead to unauthorized machine access or
       code execution has been fixed by upgrading to rsync-2.5.7. This problem
       only affects machines running rsync in daemon mode, and is easier to
       exploit if the non-default option "use chroot = no" is used in the
       /etc/rsyncd.conf config file.
       http://www.linuxsecurity.com/advisories/slackware_advisory-3835.html
    
     12/4/2003 - Rsync
       heap overflow vulnerability
    
       security problem which may lead to unauthorized machine access or code
       execution has been fixed by upgrading to rsync-2.5.7. This problem only
       affects machines running rsync in daemon mode, and is easier to exploit
       if the non-default option "use chroot = no" is used in the
       /etc/rsyncd.conf config file.
       http://www.linuxsecurity.com/advisories/slackware_advisory-3838.html
    
    
    +---------------------------------+
    |  Distribution: SuSE             | ----------------------------//
    +---------------------------------+
    
     11/29/2003 - BIND
       Negative cache vulnerability and many others
    
       The BIND8 code is vulnerable to a remote denial-of-service attack by
       poisoning the cache with authoritative negative responses that should
       not be accepted otherwise. To execute this attack a name-server needs
       to be under malicious control and the victim's bind8 has to query this
       name-server.
       http://www.linuxsecurity.com/advisories/suse_advisory-3822.html
    
     12/3/2003 - GnuPG
       multiple vulnerabilities
    
       Two independent errors have been found in gpg (GnuPG) packages as
       shipped with SUSE products:  A) A format string error in the client
       code that does key retrieval from a (public) key server B) A
       cryptographic error in gpg that results in a compromise of a
       cryptographic keypair if ElGamal signing keys have been used for
       generating the key.
       http://www.linuxsecurity.com/advisories/suse_advisory-3832.html
    
     12/4/2003 - Kernel
       local root exploit
    
       This security update fixes a serious vulnerability in the Linux kernel.
       A missing bounds check in the brk() system call allowed processes to
       request memory beyond the maximum size allowed for tasks, causing
       kernel memory to be mapped into the process' address space.  This
       allowed local attackers to obtain super user privileges.An exploit for
       this vulnerability is circulating in the wild, and has been used to
       compromise OpenSource development servers.
       http://www.linuxsecurity.com/advisories/suse_advisory-3836.html
    
     12/4/2003 - Rsync
       heap overflow vulnerability
    
       Due to insufficient integer/bounds checking in the server code a heap
       overflow can be triggered remotely to execute arbitrary code. This code
       does not get executed as root and access is limited to the chroot
       environment. The chroot environment maybe broken afterwards by abusing
       further holes in system software or holes in the chroot setup.
       http://www.linuxsecurity.com/advisories/suse_advisory-3837.html
    
    
    +---------------------------------+
    |  Distribution: Trustix          | ----------------------------//
    +---------------------------------+
    
     11/28/2003 - bind
       Cache poisoning vulnerability
    
       A vulnerability has been found in BIND that ".. allows an attacker to
       conduct cache poisoning attacks on vulnerable name servers by
       convincing the servers to retain invalid negative responses."
       http://www.linuxsecurity.com/advisories/trustix_advisory-3819.html
    
     12/1/2003 - Kernel
       buffer overflow leading to root
    
       This update fixes an issue related to bounds checking in the do_brk()
       function in the Linux kernel versions 2.4.22 and previous.  This issue
       is known to be exploitable gaining root privileges.
       http://www.linuxsecurity.com/advisories/trustix_advisory-3823.html
    
     12/4/2003 - rsync
        heap overflow vulnerability
    
       All versions of rsync prior to 2.5.7 contains a heap overflow that can
       be used to exceute arbitary code remotely.
       http://www.linuxsecurity.com/advisories/trustix_advisory-3833.html
    
    
    +---------------------------------+
    |  Distribution: Turbolinux       | ----------------------------//
    +---------------------------------+
    
     11/28/2003 - Multiple
       package updates
    
       fileutils, fetchmail, postgresql, cups, and ethereal have been updated
       to address security vulnerabilities.
       http://www.linuxsecurity.com/advisories/turbolinux_advisory-3818.html
    
     12/3/2003 - Kernal
       buffer overflow leading to root
    
       The kernel package contains the Linux kernel (vmlinuz), the core of
       your Linux operating system.A flaw in bounds checking in the do_brk()
       function in the Linux. The local users may be able to gain root
       privileges.
       http://www.linuxsecurity.com/advisories/turbolinux_advisory-3829.html
    
    
    +---------------------------------+
    |  Distribution: Yellow Dog       | ----------------------------//
    +---------------------------------+
    
     12/4/2003 - Kernal
       buffer overflow leading to root
    
       A flaw in bounds checking in the do_brk() function in the Linux kernel
       versions 2.4.22 and previous can allow a local attacker to gain root
       privileges. This issue is known to be exploitable; an exploit has been
       seen in the wild that takes advantage of this vulnerability.
       http://www.linuxsecurity.com/advisories/yellowdog_advisory-3834.html
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-request@private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 04:56:13 PST