+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | June 11th, 2004 Volume 5, Number 24a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes point This week, advisories were released for gatos, jftpgw, ethereal, gallery, rsync, log2mail, kernel, lha, postgresql, cvs, cups, squirrelmail, squid, tla, Ethereal, tripwire, sitecopy, mailman, apache, mdkonline, xpcd, mod_ssl, ksymoops, and kerberos5. The distributors include Debain, Fedora, FreeBSD, Gentoo, Mandrake, NetBSD, OpenBSD, Red Hat, Slackware, SuSE, Trustix, and Turbo Linux. ----- >> Internet Productivity Suite: Open Source Security << Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10 ----- Unnecessary Software Each week system administrators are inundated by hundreds of vendor advisories for every type of software imaginable. From time to time the patches are critical from a security perspective, but on other occasions they are merely a fix to a known bug. It is advisable to update all software on a consistent basis so that a bug in software does not result in a system vulnerability. Unfortunately because of the great number of advisories each week, it could be a full time job applying them. Applying 10 patches to 30 servers could possibly take days if an automated process isn't used. Everyone would agree, this is poor utilization of resources. There are several solutions to the problem. First, it is often a good idea to choose a specialized distribution, or spend time configuring a broad one. For example, those building a Web server should choose a distribution such as EnGarde Linux that has already been optimized and secured to perform these services. If an administrator wishes to use a distribution such as Debian, it is important that the necessary time is take to remove everything not in use. For example, there is no need for a Web server to have a compiler, X-windows, or games. This option requires system expertise, but is feasible. No matter what system is installed, it will almost always be the case that at least some unnecessary software is installed on it. On an RPM based system, it can be removed with the following command: /bin/rpm -e <packagename> Removing unnecessary software can potentially reduce administration work load. There will no longer be a need to keep that software up-to-date, and it no longer has the potential to turn into a vulnerability. It should be a priority to remove unnecessary setuid/setgid binaries. Vulnerabilities in these can often lead to root compromise, so they should only be used when necessary. To find setuid/setgid binaries on a system, simply use the following command: find / -type f -perm +6000 Remove each that is not in use and it can greatly reduce the risk of compromise. Until next time, cheers! Benjamin D. Thomas ben@private ---- Interview with Brian Wotring, Lead Developer for the Osiris Project Brian Wotring is currently the lead developer for the Osiris project and president of Host Integrity, Inc.He is also the founder of knowngoods.org, an online database of known good file signatures. Brian is the co-author of Mac OS X Security and a long-standing member of the Shmoo Group, an organization of security and cryptography professionals. http://www.linuxsecurity.com/feature_stories/feature_story-164.html -------------------------------------------------------------------- Guardian Digital Launches Next Generation Secure Mail Suite Guardian Digital, the premier open source security company, announced the availability of the next generation Secure Mail Suite, the industry's most secure open source corporate email system. This latest edition has been optimized to support the changing needs of enterprise and small business customers while continually providing protection from the latest in email security threats. http://www.linuxsecurity.com/feature_stories/feature_story-166.html -------------------------------------------------------------------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 6/8/2004 - gatos Privilege escalation vulnerability If initialization fails due to a missing configuration file, root privileges are not dropped, and xatitv executes the system(3) function without sanitizing user-supplied environment variables. http://www.linuxsecurity.com/advisories/debian_advisory-4434.html 6/8/2004 - jftpgw Format string vulnerability A remote user could potentially cause arbitrary code to be executed with the privileges of the jftpgw server process. http://www.linuxsecurity.com/advisories/debian_advisory-4435.html 6/8/2004 - ethereal Buffer overflow vulnerabilities Several buffer overflow vulnerabilities were discovered in ethereal. http://www.linuxsecurity.com/advisories/debian_advisory-4436.html 6/8/2004 - gallery Unauthenticated access A remote attacker could gain access to the gallery "admin" user without proper authentication. http://www.linuxsecurity.com/advisories/debian_advisory-4437.html 6/8/2004 - rsync Directory traversal vulnerability A remote user could cause an rsync daemon to write files outside of the intended directory tree, if the daemon is not configured with the 'chroot' option. http://www.linuxsecurity.com/advisories/debian_advisory-4438.html 6/8/2004 - log2mail Format string vulnerability Exploit could cause arbitrary code to be executed with the privileges of the log2mail process. http://www.linuxsecurity.com/advisories/debian_advisory-4439.html 6/8/2004 - kernel 2.2.20 Privilege escalation vulnerability Due to flushing the TLB too early it is possible for an attacker to trigger a local root exploit. This fix is to the sparc-built kernel and the kernel source. http://www.linuxsecurity.com/advisories/debian_advisory-4440.html 6/8/2004 - lha Multiple vulnerabilities Fixes multiple buffer overflows and multiple directory traversal vulnerabilities. http://www.linuxsecurity.com/advisories/debian_advisory-4441.html 6/8/2004 - postgresql Denial of service vulnerability It possible to exploit this problem and crash the surrounding application. http://www.linuxsecurity.com/advisories/debian_advisory-4442.html 6/10/2004 - cvs Buffer overflow vulnerability Derek Robert Price discovered a potential buffer overflow vulnerability in the CVS server. http://www.linuxsecurity.com/advisories/debian_advisory-4462.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 6/8/2004 - cups Non-encryption vulnerability Among other bugs, this fixes a failure to use encryption when required. http://www.linuxsecurity.com/advisories/fedora_advisory-4429.html 6/8/2004 - ethereal Multiple vulnerabilies This patch fixes three DoS vulns and a buffer overflow. http://www.linuxsecurity.com/advisories/fedora_advisory-4430.html 6/8/2004 - net-tools Excessive privilege vulnerability Multiple vulnerabilies netlink_listen & netlink_receive_dump should both check the source of the packets by looking at nl_pid and ensuring that it is 0 before performing any reconfiguration of network interfaces. http://www.linuxsecurity.com/advisories/fedora_advisory-4431.html 6/8/2004 - krb5 Multiple buffer overflows Exploitation could lead to denial of service or arbitrary code execution. http://www.linuxsecurity.com/advisories/fedora_advisory-4433.html 6/10/2004 - squirrelmail Multiple vulnerabilities Patch fixes a SQL injection and cross-site scripting flaw. http://www.linuxsecurity.com/advisories/fedora_advisory-4460.html 6/10/2004 - squid Buffer overflow vulnerability A remotely-exploitable buffer overflow allows the execution of arbitrary code. http://www.linuxsecurity.com/advisories/fedora_advisory-4461.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 6/8/2004 - kernel Excessive privilege vulnerability Jailed processes can manipulate host routing tables. http://www.linuxsecurity.com/advisories/freebsd_advisory-4428.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 6/8/2004 - tla Heap overflow vulnerability This vulnerability could allow execution of arbitrary code with the rights of the user running tla. Note: Important errata included at bottom. http://www.linuxsecurity.com/advisories/gentoo_advisory-4423.html 6/8/2004 - MPlayer, xine-lib Multiple vulnerabilities Heap overflow vulnerability A remote attacker, posing as a RTSP stream server, can execute arbitrary code with the rights of the user of the software playing the stream. http://www.linuxsecurity.com/advisories/gentoo_advisory-4424.html 6/8/2004 - Ethereal Multiple vulnerabilities Exploitation may allow an attacker to run arbitrary code or crash the program. http://www.linuxsecurity.com/advisories/gentoo_advisory-4425.html 6/8/2004 - tripwire Format string vulnerability Attacker could cause execution of arbitrary code with permissions of the user running tripwire, which could be the root user. http://www.linuxsecurity.com/advisories/gentoo_advisory-4426.html 6/8/2004 - sitecopy Multiple vulnerabilities When connected to a malicious WebDAV server, these vulnerabilities could allow execution of arbitrary code with the rights of the user running sitecopy. http://www.linuxsecurity.com/advisories/gentoo_advisory-4427.html 6/10/2004 - Mailman Password leak Mailman contains a bug allowing 3rd parties to retrieve member passwords. http://www.linuxsecurity.com/advisories/gentoo_advisory-4457.html 6/10/2004 - apache Buffer overflow vulnerability A bug in mod_ssl may allow a remote attacker to execute remote code when Apache is configured a certain way. http://www.linuxsecurity.com/advisories/gentoo_advisory-4458.html 6/10/2004 - cvs Multiple vulnerabilities Several serious new vulnerabilities have been found in CVS, which may allow an attacker to remotely compromise a CVS server. http://www.linuxsecurity.com/advisories/gentoo_advisory-4459.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 6/8/2004 - mdkonline Squid incompatability Though not a security problem per se, this is important to any who use Mandrake Online to patch their systems. http://www.linuxsecurity.com/advisories/mandrake_advisory-4417.html 6/8/2004 - xpcd Buffer overflow vulnerability Problem could be exploited by a local attacker to obtain root privileges. http://www.linuxsecurity.com/advisories/mandrake_advisory-4418.html 6/8/2004 - mod_ssl Buffer overflow vulnerability A remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN. http://www.linuxsecurity.com/advisories/mandrake_advisory-4419.html 6/8/2004 - apache2 Buffer overflow vulnerability When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN. http://www.linuxsecurity.com/advisories/mandrake_advisory-4420.html 6/8/2004 - krb5 Buffer overflow vulnerabilities This could lead to root privileges, though it requires successfull authentication plus a non-default configuration to exploit. http://www.linuxsecurity.com/advisories/mandrake_advisory-4421.html 6/8/2004 - tripwire Format string vulnerability Exploit could allow a local user to execute arbitrary code with the rights of the user running tripwire (typically root). http://www.linuxsecurity.com/advisories/mandrake_advisory-4422.html 6/10/2004 - krb5 Patch fix The original patch provided contained a bug where rule-based entries on systems without HAVE_REGCOMP would not work. http://www.linuxsecurity.com/advisories/mandrake_advisory-4452.html 6/10/2004 - mdkonline Patch fix The previous update did not parse noarch packages, and new archs have been added (ia64, amd64, x86_64, ppc64) as well. As well, the mdkapplet now forces a restart when changes to itself have occurred. http://www.linuxsecurity.com/advisories/mandrake_advisory-4453.html 6/10/2004 - cvs Multiple vulnerabilities This patch addresses four seperate security issues with cvs. http://www.linuxsecurity.com/advisories/mandrake_advisory-4454.html 6/10/2004 - squid Buffer overflow vulnerability This buffer overflow can be exploited by a remote attacker by sending an overly long password, and grants the ability to execute arbitrary code. http://www.linuxsecurity.com/advisories/mandrake_advisory-4455.html 6/10/2004 - ksymoops Insecure temporary file vulnerability The script fails to do proper checking when copying a file to the /tmp directory. http://www.linuxsecurity.com/advisories/mandrake_advisory-4456.html +---------------------------------+ | Distribution: NetBSD | ----------------------------// +---------------------------------+ 6/8/2004 - cvs Heap overflow vulnerabilities CVS had heap overflow vulnerabilities which can be trigged remotely by malicious people on the net. http://www.linuxsecurity.com/advisories/netbsd_advisory-4416.html +---------------------------------+ | Distribution: OpenBSD | ----------------------------// +---------------------------------+ 6/10/2004 - cvs Multiple vulnerabilities While no exploits are known to exist for these bugs under OpenBSD at this time, some of the bugs have proven exploitable on other operating systems. http://www.linuxsecurity.com/advisories/openbsd_advisory-4451.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 6/8/2004 - cvs Denial of service vulnerabilities Updated cvs packages that fix remote denial of service vulnerabilities are now available. (This is a legacy Red Hat fix, released by the Fedora Project). http://www.linuxsecurity.com/advisories/redhat_advisory-4432.html 6/9/2004 - Ethereal Multiple vulnerabilities Patch fixes a buffer overflow plus several denail of service vulnerabilities http://www.linuxsecurity.com/advisories/redhat_advisory-4443.html 6/9/2004 - krb5 Buffer overflow vulnerabilities Updated Kerberos 5 (krb5) packages which correct buffer overflows in the krb5_aname_to_localname function are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-4444.html 6/9/2004 - squid Buffer overflow vulnerability If Squid is configured to use the NTLM authentication helper, a remote attacker could potentially execute arbitrary code by sending a lengthy password. http://www.linuxsecurity.com/advisories/redhat_advisory-4445.html 6/9/2004 - cvs Multiple vulnerabilities This patch resolves many outstanding vulnerabilities of cvs. http://www.linuxsecurity.com/advisories/redhat_advisory-4446.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 6/8/2004 - mod_ssl Buffer overflow vulnerability May allow remote attackers to execute arbitrary code via a client certificate with a long subject DN, if mod_ssl is configured to trust the issuing CA. http://www.linuxsecurity.com/advisories/slackware_advisory-4414.html 6/8/2004 - php Insecure path vulnerability Exploitation of this issue requires a static library at an insecure path, and could allow denial of service or arbitrary code execution. http://www.linuxsecurity.com/advisories/slackware_advisory-4415.html 6/10/2004 - cvs Multiple vulnerabilities Resolves many vulnerabilities, including a buffer overflow. http://www.linuxsecurity.com/advisories/slackware_advisory-4450.html +---------------------------------+ | Distribution: Suse | ----------------------------// +---------------------------------+ 6/10/2004 - cvs Multiple vulnerabilities These bugs allow remote attackers to execute arbitrary code as the user the CVS server runs as. http://www.linuxsecurity.com/advisories/suse_advisory-4448.html 6/10/2004 - squid Buffer overflow vulnerability Squid is vulnerable to a buffer overflow that can be exploited remotely by using a long password to execute arbitrary code. http://www.linuxsecurity.com/advisories/suse_advisory-4449.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 6/8/2004 - apache Buffer overflow vulnerability Stack-based buffer overflow may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN. http://www.linuxsecurity.com/advisories/trustix_advisory-4412.html 6/8/2004 - kerberos5 Buffer overflow vulnerabilities Exploitation of these flaws requires an unusual combination of factors, including successful authentication to a vulnerable service and a non-default configuration on the target service. http://www.linuxsecurity.com/advisories/trustix_advisory-4413.html 6/10/2004 - squid Buffer overflow vulnerability Remote exploitation of a buffer overflow vulnerability in Squid Web Proxy Cache could allow a remote attacker to execute arbitrary code. http://www.linuxsecurity.com/advisories/trustix_advisory-4447.html +---------------------------------+ | Distribution: Turbolinux | ----------------------------// +---------------------------------+ 6/8/2004 - Multiple Pkgs Multiple vulnerabilities cvs (2 issues), tcpdump (2 issues), apache (multiple issues) have been resolved. http://www.linuxsecurity.com/advisories/turbolinux_advisory-4411.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________________ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!)
This archive was generated by hypermail 2b30 : Mon Jun 14 2004 - 02:54:41 PDT