+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | November 26th, 2004 Volume 5, Number 47a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for bugzilla, samba, bnc, sudo, Cyrus, yardradius, AbiWord, unarj, pdftohtml, ProZilla, phpBB, TWiki, XFree86, libxpm4, a2ps, zip, kdebase, and kdelibs. The distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, Openwall, and Trustix. ----- LinuxSecurity.com Version 2 ----- Get ready ... on December 1st the new LinuxSecurity.com site will be revealed. The same great content you've come to expect with a whole new look and great new features. A sneak preview is coming soon! http://ads.linuxsecurity.com/cgi-bin/ads.pl?banner=lsv2flashdemo ------ Security Basics In the ever-changing world of global data communications, inexpensive Internet connections, and fast-paced software development, security is becoming more and more of an issue. Security is now a basic requirement because global computing is inherently insecure. As your data goes from point A to point B on the Internet, for example, it may pass through several other points along the way, giving other users the opportunity to intercept, and even alter, your data. Even other users on your system may maliciously transform your data into something you did not intend. Unauthorized access to your system may be obtained by intruders, also known as ``crackers'', who then use advanced knowledge to impersonate you, steal information from you, or even deny you access to your own resources. If you're still wondering what the difference is between a ``Hacker'' and a ``Cracker'', see Eric Raymond's document, ``How to Become A Hacker'', available at: http://www.catb.org/~esr/faqs/hacker-howto.html How Vulnerable Are We? * While it is difficult to determine just how vulnerable a particular system is, there are several indications we can use: * The Computer Emergency Response Team consistently reports an increase in computer vulnerabilities and exploits. * TCP and UDP, the protocols that comprise the Internet, were not written with security as their first priority when it was created more than 30 years ago. * A version of software on one host has the same vulnerabilities as the same version of software on another host. Using this information, an intruder can exploit multiple systems using the same attack method. * Many administrators don't even take simple security measures necessary to protect their site, or don't understand the ramifications of implementing some se Excerpt from the LinuxSecurity Administrator's Guide: http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html Written by: Dave Wreski (dave@private) ----- Mass deploying Osiris Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel. http://www.linuxsecurity.com/feature_stories/feature_story-175.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 11/23/2004 - shadow-utils authentication bypass vulnerability fix Martin Schulze reported a vulnerability[2] in the passwd_check() function in "libmisc/pwdcheck.c" which is used by chfn and chsh and thus may allow a local attacker to use them to change the standard shell of other users or modify their GECOS information (full name, phone number...). http://www.linuxsecurity.com/advisories/conectiva_advisory-5223.html 11/23/2004 - bugzilla remote vulnerability fix Bugzilla versions prior to 2.16.7 have a vulnerability[3] which allows a remote user to remove keywords from a ticket even without the necessary permissions. Such an action, however, would trigger the usual e-mail detailing the changes, making it easy to discover what happened and what was changed. http://www.linuxsecurity.com/advisories/conectiva_advisory-5224.html 11/25/2004 - samba denial of service vulnerability fix Karol Wiesek found a vulnerability[2] in the input validation routines in Samba 3.x used to match filename strings containing wildcard characters that may allow a remote attacker to consume abnormal amounts of CPU cycles. http://www.linuxsecurity.com/advisories/conectiva_advisory-5234.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 11/24/2004 - bnc buffer overflow Leon Juranic discovered that BNC, an IRC session bouncing proxy, does not always protect buffers from being overwritten. This could exploited by a malicious IRC server to overflow a buffer of limited size and execute arbitrary code on the client host. http://www.linuxsecurity.com/advisories/debian_advisory-5227.html 11/24/2004 - sudo privilege escalation fix Liam Helmer noticed that sudo, a program that provides limited super user privileges to specific users, does not clean the environment sufficiently. Bash functions and the CDPATH variable are still passed through to the program running as privileged user, leaving possibilities to overload system routines. http://www.linuxsecurity.com/advisories/debian_advisory-5228.html 11/24/2004 - sudo removes debug output Liam Helmer noticed that sudo, a program that provides limited super user privileges to specific users, does not clean the environment sufficiently. Bash functions and the CDPATH variable are still passed through to the program running as privileged user, leaving possibilities to overload system routines. http://www.linuxsecurity.com/advisories/debian_advisory-5229.html 11/25/2004 - Cyrus IMAP arbitrary code execution fix Stefan Esser discovered several security related problems in the Cyrus IMAP daemon. Due to a bug in the command parser it is possible to access memory beyond the allocated buffer in two places which could lead to the execution of arbitrary code. http://www.linuxsecurity.com/advisories/debian_advisory-5240.html 11/25/2004 - yardradius arbitrary code execution fix Max Vozeler noticed that yardradius, the YARD radius authentication and accounting server, contained a stack overflow similar to the one from radiusd which is referenced as CAN-2001-0534. This could lead to the execution of arbitrary code as root. http://www.linuxsecurity.com/advisories/debian_advisory-5241.html 11/25/2004 - tetex-bin arbitrary code execution arbitrary code execution fix Chris Evans discovered several integer overflows in xpdf, that are also present in tetex-bin, binary files for the teTeX distribution, which can be exploited remotely by a specially crafted PDF document and lead to the execution of arbitrary code. http://www.linuxsecurity.com/advisories/debian_advisory-5242.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 11/19/2004 - system-config-users-1.2.28-0.fc3.1 update arbitrary code execution fix check for running processes of a user about to be deleted (#132902) http://www.linuxsecurity.com/advisories/fedora_advisory-5205.html 11/19/2004 - system-config-users-1.2.28-0.fc2.1 update arbitrary code execution fix check for running processes of a user about to be deleted (#132902) http://www.linuxsecurity.com/advisories/fedora_advisory-5206.html 11/19/2004 - rhgb-0.16.1-1.FC3 update arbitrary code execution fix This should fix the problem where rhgb blocks the boot process when X fails to initialize correctly, as well as the one preventing vncserver to start when rhgb is used. http://www.linuxsecurity.com/advisories/fedora_advisory-5207.html 11/22/2004 - redhat-menus-3.7-2.2.fc3 update arbitrary code execution fix This update adds additional file types to the list of file types associated with the OpenOffice.org application suite, allowing users to open more documents with OpenOffice.org through Nautilus and Evolution. http://www.linuxsecurity.com/advisories/fedora_advisory-5213.html 11/22/2004 - kernel-2.6.9-1.6_FC2 update arbitrary code execution fix This update brings a rebase to 2.6.9, including various security fixes incorporated into the upstream kernel, and also includes Alan Cox's -ac patchset, which adds additional security fixes. http://www.linuxsecurity.com/advisories/fedora_advisory-5214.html 11/22/2004 - kernel-2.6.9-1.681_FC3 update arbitrary code execution fix This update brings an updated -ac patch which which adds several security fixes, and various other fixes that have occured since the release of Fedora Core 3. http://www.linuxsecurity.com/advisories/fedora_advisory-5215.html 11/22/2004 - redhat-menus-3.7.1-1.fc3 update arbitrary code execution fix This update fixes the missing evolution icon bug (#rh138282). http://www.linuxsecurity.com/advisories/fedora_advisory-5216.html 11/23/2004 - system-config-display-1.0.24-1 update arbitrary code execution fix This fixes tracebacks experienced by some users with dual head support http://www.linuxsecurity.com/advisories/fedora_advisory-5217.html 11/24/2004 - system-config-samba-1.2.22-0.fc3.1 update arbitrary code execution fix add missing options (#137756) http://www.linuxsecurity.com/advisories/fedora_advisory-5230.html 11/24/2004 - system-config-samba-1.2.22-0.fc2.1 update arbitrary code execution fix add missing options (#137756), don't raise exception when writing /etc/samba/smb.conf (#135946), updated translations http://www.linuxsecurity.com/advisories/fedora_advisory-5231.html 11/25/2004 - AbiWord bug fixes Fixes for tempnam usages and startup geometry crashes http://www.linuxsecurity.com/advisories/fedora_advisory-5232.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 11/19/2004 - X.org, Xfree vulnerabilities bug fixes libXpm contains several vulnerabilities that could lead to a Denial of Service and arbitrary code execution. http://www.linuxsecurity.com/advisories/gentoo_advisory-5209.html 11/19/2004 - unarj Long filenames buffer overflow and a path traversal vulnerability unarj contains a buffer overflow and a directory traversal vulnerability. This could lead to overwriting of arbitrary files or the execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-5210.html 11/23/2004 - pdftohtml Vulnerabilities in included Xpdf pdftohtml includes vulnerable Xpdf code to handle PDF files, making it vulnerable to execution of arbitrary code upon converting a malicious PDF file. http://www.linuxsecurity.com/advisories/gentoo_advisory-5219.html 11/23/2004 - ProZilla Multiple vulnerabilities ProZilla contains several buffer overflow vulnerabilities that can be exploited by a malicious server to execute arbitrary code with the rights of the user running ProZilla. http://www.linuxsecurity.com/advisories/gentoo_advisory-5220.html 11/23/2004 - phpBB Remote command execution phpBB contains a vulnerability which allows a remote attacker to execute arbitrary commands with the rights of the web server user. http://www.linuxsecurity.com/advisories/gentoo_advisory-5221.html 11/24/2004 - TWiki Arbitrary command execution A bug in the TWiki search function allows an attacker to execute arbitrary commands with the permissions of the user running TWiki. http://www.linuxsecurity.com/advisories/gentoo_advisory-5222.html 11/25/2004 - Cyrus IMAP Multiple remote vulnerabilities The Cyrus IMAP Server contains multiple vulnerabilities which could lead to remote execution of arbitrary code. http://www.linuxsecurity.com/advisories/gentoo_advisory-5233.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 11/23/2004 - XFree86 vulnerabilities fix A source code review of the XPM library, done by Thomas Biege of the SuSE Security-Team revealed several different kinds of bugs. These bugs include integer overflows, out-of-bounds memory access, shell command execution, path traversal, and endless loops. http://www.linuxsecurity.com/advisories/mandrake_advisory-5225.html 11/23/2004 - libxpm4 vulnerabilities fix A source code review of the XPM library, done by Thomas Biege of the SuSE Security-Team revealed several different kinds of bugs. These bugs include integer overflows, out-of-bounds memory access, shell command execution, path traversal, and endless loops. http://www.linuxsecurity.com/advisories/mandrake_advisory-5226.html 11/25/2004 - Cyrus IMAP multiple vulnerabilities A number of vulnerabilities in the Cyrus-IMAP server were found by Stefan Esser. Due to insufficient checking within the argument parser of the 'partial' and 'fetch' commands, a buffer overflow could be exploited to execute arbitrary attacker-supplied code. http://www.linuxsecurity.com/advisories/mandrake_advisory-5235.html 11/25/2004 - a2ps vulnerability fix The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitray commands with the privileges of the user running the vulnerable application. http://www.linuxsecurity.com/advisories/mandrake_advisory-5236.html 11/25/2004 - zip vulnerability fix A vulnerability in zip was discovered where zip would not check the resulting path length when doing recursive folder compression, which could allow a malicious person to convince a user to create an archive containing a specially-crafted path name. http://www.linuxsecurity.com/advisories/mandrake_advisory-5237.html 11/26/2004 - kdebase various bugs fixes A number of bugs in kdebase are fixed with this update. http://www.linuxsecurity.com/advisories/mandrake_advisory-5238.html 11/26/2004 - kdelibs various bugs fix A number of bugs in kdelibs are fixed with this update. http://www.linuxsecurity.com/advisories/mandrake_advisory-5239.html +---------------------------------+ | Distribution: Openwall | ----------------------------// +---------------------------------+ 11/23/2004 - 2.4.28-ow1 security-related bugs various bugs fix Linux 2.4.28, and thus 2.4.28-ow1, fixes a number of security-related bugs, including the ELF loader vulnerabilities discovered by Paul Starzetz (confirmed: ability for users to read +s-r binaries; potential: local root), a race condition with reads from Unix domain sockets (potential local root), smbfs http://www.linuxsecurity.com/advisories/openwall_advisory-5218.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 11/22/2004 - apache, kernel, sudo Multiple vulnerabilities various bugs fix An issue was discovered where the field length limit was not enforced for certain malicious requests. This could lead to a remote denial of service attack. http://www.linuxsecurity.com/advisories/trustix_advisory-5211.html 11/22/2004 - amavisd-new, anaconda, courier-imap, ppp, setup, spamassassin, swup, tftp-hpa, tsl-utils Package bugfixes various bugs fix amavisd-new: Add tmpwatch of the virusmails directory to keep it from growing infinitely. Anaconda: Increase ramdisk-size as needed by netboot floppy. Courier-imap: Now use $HOME/Maildir. http://www.linuxsecurity.com/advisories/trustix_advisory-5212.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Mon Nov 29 2004 - 01:28:04 PST