[ISN] Linux Advisory Watch - October 15th 2004

From: InfoSec News (isn@private)
Date: Sun Oct 17 2004 - 23:24:38 PDT


+---------------------------------------------------------------------+
|  LinuxSecurity.com                             Weekly Newsletter    |
|  October 15th, 2004                           Volume 5, Number 41a  |
+---------------------------------------------------------------------+

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave@private          ben@private

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for cups, samba, mysql, mpg123, sox,
Ed, ncompress, LessTif, gettext, xfree86, tiff, wordpress, BNC, libpng,
and rsync.  The distributors include Conectiva, Debian, Fedora, Gentoo,
Slackware, and Trustix.

-----
>> The Perfect Productivity Tools <<

WebMail, Groupware and LDAP Integration provide organizations with the
ability to securely access corporate email from any computer, collaborate
with co-workers and set-up comprehensive addressbooks to consistently keep
employees organized and connected.

http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05
-----

Storing Log Data Securely

It is also a good idea to store log data at a secure location, such as a
dedicated log server within your well-protected network.  Once a machine
has been compromised, log data becomes of little use as it most likely has
also been modified by the intruder.  It most likely of little value in a
criminal investigation.  It helps if the log data, which has been stored
remotely, indicates when root access was gained so that logs before that
point are okay.

The syslogd daemon can be configured to automatically send log data to a
central syslogd server, but this is typically sent in cleartext data,
allowing an intruder to view data as it is being transferred. This may
reveal information about your network that is not intended to be public.
There are syslog daemons available that encrypt the data as it is being
sent.

Also be aware that faking syslog messages has been reported, with an
exploit program having been published.  Syslog even accepts net log
entries claiming to come from the local host without indicating their true
origin.  A more secure implementation has been written by CORE-SDI, and is
available at:

http://oss.coresecurity.com/projects/msyslog.html

If possible, configure syslogd to send a copy of the most important data
to a secure system.  This will prevent an intruder from covering his
tracks by deleting his login, su, ftp, etc attempts.  See the
syslog.conf(5) man page, and refer to the ``@'' option.

If you've already decided to use a central syslog server, the additional
security this provides is well worth it.  However, you should consider the
additional overhead involved with sending this data real-time across your
network.

Excerpt from the LinuxSecurity Administrator's Guide:
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html

Written by: Dave Wreski (dave@private)

-----

AIDE and CHKROOTKIT

Network security is continuing to be a big problem for companies and home
users. The problem can be resolved with an accurate security analysis. In
this article I show how to approach security using aide and chkrootkit.

http://www.linuxsecurity.com/feature_stories/feature_story-173.html

---------------------------------------------------------------------

An Interview with Gary McGraw, Co-author of Exploiting Software:
How to Break Code

Gary McGraw is perhaps best known for his groundbreaking work on securing
software, having co-authored the classic Building Secure Software
(Addison-Wesley, 2002). More recently, he has co-written with Greg Hoglund
a companion volume, Exploiting Software, which details software security
from the vantage point of the other side, the attacker. He has graciously
agreed to share some of his insights with all of us at LinuxSecurity.com

http://www.linuxsecurity.com/feature_stories/feature_story-171.html

------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------------------+
|  Distribution: Conectiva        | ----------------------------//
+---------------------------------+

 10/14/2004 - cups
   denial of service vulnerability fix

   Alvaro Martinez Echevarria found a vulnerability[2] in the CUPS
   Internet Printing Protocol (IPP) implementation that allows remote
   attackers to make CUPS stop listening on the IPP port by sending
   an empty UDP datagram packet to the IPP port, causing a denial of
   service situation.
   http://www.linuxsecurity.com/advisories/conectiva_advisory-4948.html

 10/14/2004 - samba
   vulnerabilities fix

   This announcement fixes two denial of service vulnerabilities via
   certain malformed requests[2] and via a SAM_UAS_CHANGE request
   with a big length value[3] when domain logons are enabled.
   http://www.linuxsecurity.com/advisories/conectiva_advisory-4949.html


+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

 10/10/2004 - python2.2 buffer overflow and restore functionality fix
   vulnerabilities fix

   This security advisory corrects DSA 458-2 which caused a problem
   in the gethostbyaddr routine.
   http://www.linuxsecurity.com/advisories/debian_advisory-4917.html

 10/11/2004 - mysql
   several vulnerabilities fix

   Severl problems have been discovered in MySQL, a commonly used SQL
   database on Unix servers.
   http://www.linuxsecurity.com/advisories/debian_advisory-4931.html

 10/12/2004 - cyrus-sasl arbitrary code execution fix
   several vulnerabilities fix

   A vulnerability has been discovered in the Cyrus implementation of
   the SASL library, the Simple Authentication and Security Layer, a
   method for adding authentication support to connection-based
   protocols.
   http://www.linuxsecurity.com/advisories/debian_advisory-4936.html

 10/12/2004 - cyrus-sasl arbitrary code execution real fix
   several vulnerabilities fix

   This advisory corrects DSA 563-1 which contained a library that
   caused other programs to fail unindented.
   http://www.linuxsecurity.com/advisories/debian_advisory-4937.html

 10/13/2004 - mpg123
   arbitrary code exceution fix

   Davide Del Vecchio discovered a vulnerability mpg123, a popular
   (but non-free) MPEG layer 1/2/3 audio player.  A malicious MPEG
   layer 2/3 file could cause the header checks in mpg123 to fail,
   which could in turn allow arbitrary code to be executed with the
   privileges of the user running mpg123.
   http://www.linuxsecurity.com/advisories/debian_advisory-4941.html

 10/13/2004 - sox
   buffer overflow fix

   Ulf Harnhammar has reported two vulnerabilities in SoX, a
   universal sound sample translator, which may be exploited by
   malicious people to compromise a user's system with a specially
   crafted .wav file.
   http://www.linuxsecurity.com/advisories/debian_advisory-4942.html

 10/14/2004 - cyrus-sasl arbitrary code execution fix
   buffer overflow fix

   This advisory is an addition to DSA 563-1 and 563-2 which weren't
   able to supersede the library on sparc and arm due to a different
   version number for them in the stable archive.
   http://www.linuxsecurity.com/advisories/debian_advisory-4950.html

 10/14/2004 - CUPS
   information leak fix

   An information leak has been detected in CUPS, the Common UNIX
   Printing System, which may lead to the disclosure of sensitive
   information, such as user names and passwords which are written
   into log files.
   http://www.linuxsecurity.com/advisories/debian_advisory-4952.html


+---------------------------------+
|  Distribution: Fedora           | ----------------------------//
+---------------------------------+

 10/11/2004 - squid-2.5.STABLE5-4.fc2.1 update
   information leak fix

   This update fixes a potential DoS against squid that was reported
   by Secunia.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4920.html

 10/8/2004 - cyrus-sasl-2.1.18-2.2 update
   information leak fix

   In situations where an untrusted local user can affect the
   environment of a privileged process, this behavior could be
   exploited to run arbitrary code with the privileges of a setuid or
   setgid application.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4922.html

 10/11/2004 - pcmcia-cs-3.2.7-1.8.2.1 update
   information leak fix

   This update fixes a few problems in the PCMCIA init script.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4933.html

 10/11/2004 - gimp-2.0.5-0.fc2.1 update
   information leak fix

   The GIMP (GNU Image Manipulation Program) is a powerful image
   composition and editing program, which can be extremely useful for
   creating logos and other graphics for webpages.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4934.html

 10/12/2004 - tzdata-2004e-1.fc2 update
   information leak fix

   This package contains data files with rules for various timezones
   around the world.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4940.html

 10/13/2004 - libuser-0.52.5-0.FC2.1 update
   information leak fix

   This update fixes many bugs, mostly in the LDAP backend and the
   Python bindings.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4944.html

 10/13/2004 - squid-2.5.STABLE5-4.fc2.2 update
   information leak fix

   Backport fix for CAN-2004-0918 (Remote Denial of Service attack)
   http://www.linuxsecurity.com/advisories/fedora_advisory-4945.html

 10/13/2004 - system-config-users-1.2.25-0.fc2.1 update
   information leak fix

   when renaming users, ensure that groups forget about the old user
   name (#135280)
   http://www.linuxsecurity.com/advisories/fedora_advisory-4946.html

 10/14/2004 - k3b-0.11.14-0.FC2.2 version string parsing fix
   information leak fix

   K3b provides a comfortable user interface to perform most CD/DVD
   burning tasks. While the experienced user can take influence in
   all steps of the burning process the beginner may find comfort in
   the automatic settings and the reasonable k3b defaults which allow
   a quick start.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4951.html

 10/14/2004 - gimp-2.0.5-0.fc2.2 update
   information leak fix

   This update fixes the bug that catches the wrong values of bpp in
   the BMP plugin.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4953.html

 10/14/2004 - libtiff-3.5.7-20.2 update
   information leak fix

   Chris Evans discovered a number of integer overflow bugs that
   affect libtiff. An attacker who has the ability to trick a user
   into opening a malicious TIFF file could cause the application
   linked to libtiff to crash or possibly execute arbitrary code.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4954.html

 10/14/2004 - w3m-0.5.1-3.1 update
   information leak fix

   The w3m program is a pager (or text file viewer) that can also be
   used as a text-mode Web browser.
   http://www.linuxsecurity.com/advisories/fedora_advisory-4955.html

 10/14/2004 - ruby-1.8.1-6 update
   information leak fix

   A security fix [CAN-2004-0755].
   ruby-1.8.1-cgi_session_perms.patch: sets the permission of the
   session data file to 0600. (#130063)
   http://www.linuxsecurity.com/advisories/fedora_advisory-4956.html


+---------------------------------+
|  Distribution: Gentoo           | ----------------------------//
+---------------------------------+

 10/9/2004 - CUPS
   Leakage of sensitive information

   CUPS leaks information about user names and passwords when using
   remote printing to SMB-shared printers which require
   authentication.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4926.html

 10/9/2004 - Ed
   Insecure temporary file handling

   The ed utility is vulnerable to symlink attacks, potentially
   allowing a local user to overwrite or change rights on arbitrary
   files with the rights of the user running ed, which could be the
   root user.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4927.html

 10/9/2004 - ncompress
   Buffer overflow

   compress and uncompress, which could be used by daemon programs,
   contain a buffer overflow that could lead to remote execution of
   arbitrary code with the rights of the daemon process.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4928.html

 10/9/2004 - LessTif
   Integer and stack overflows in libXpm

   Multiple vulnerabilities have been discovered in libXpm, which is
   included in LessTif, that can potentially lead to remote code
   execution.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4929.html

 10/10/2004 - gettext
   Insecure temporary file handling

   The gettext utility is vulnerable to symlink attacks, potentially
   allowing a local user to overwrite or change permissions on
   arbitrary files with the rights of the user running gettext, which
   could be the root user.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4930.html

 10/11/2004 - xfree86
   integer and stack overflows

   Chris Evans discovered several stack and integer overflows in the
   libXpm library which is provided by X.Org, XFree86 and LessTif.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4932.html

 10/13/2004 - tiff
   Buffer overflows in image decoding

   Multiple heap-based overflows have been found in the tiff library
   image decoding routines, potentially allowing to execute arbitrary
   code with the rights of the user viewing a malicious image.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4943.html

 10/14/2004 - wordpress
   HTTP response splitting and XSS vulnerabilities

   WordPress contains HTTP response splitting and cross-site
   scripting vulnerabilities.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4947.html

 10/15/2004 - BNC
   Input validation flaw

   BNC contains an input validation flaw which might allow a remote
   attacker to issue arbitrary IRC related commands.
   http://www.linuxsecurity.com/advisories/gentoo_advisory-4957.html


+---------------------------------+
|  Distribution: Other            | ----------------------------//
+---------------------------------+

 10/12/2004 - CUPS
   before 1.1.21 allows remote attackers to cause a denial of service

   The Internet Printing Protocol (IPP) implementation in CUPS before
   1.1.21 allows remote attackers to cause a denial of service via a
   certain UDP packet to the IPP port.
   http://www.linuxsecurity.com/advisories/other_advisory-4938.html

 10/12/2004 - libpng
   Multiple Vulnerabilities

   Several vulnerabilities exist in the libpng library, the most
   serious of which could allow a remote attacker to execute
   arbitrary code on an affected system.
   http://www.linuxsecurity.com/advisories/other_advisory-4939.html


+---------------------------------+
|  Distribution: Slackware        | ----------------------------//
+---------------------------------+

 10/12/2004 - rsync
   security update

   New rsync 2.6.3 packages are available for Slackware 8.1, 9.0,
   9.1, 10.0, and -current to a fix security issue when rsync is run
   as a non-chrooted server.
   http://www.linuxsecurity.com/advisories/slackware_advisory-4935.html


+---------------------------------+
|  Distribution: Trustix          | ----------------------------//
+---------------------------------+

 10/8/2004 - cyrus-sasl Insecure handling of environment variable
   security update

   Kurt Lieber  reported that libsasl
   honors the environment variable SASL_PATH blindly, allowing a
   local user to compile a "library" locally that is executed with
   the EID of SASL.
   http://www.linuxsecurity.com/advisories/trustix_advisory-4919.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@private
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Mon Oct 18 2004 - 08:26:24 PDT