+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | October 12th, 2001 Volume 2, Number 41a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlinesthe security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for slrn, most, uucp, squid, Mandrake 8.1 kernel, sendmail, lprold, and zope. The Vendors include Caldera, FreeBSD, Mandrake, Progeny, Red Hat, and SuSE. Lock down your network! The EnGarde Linux distribution was designed from the ground up as a secure solution, starting with the principle of least privilege, and carrying it through every aspect of its implementation.http://www.engardelinux.org Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to: security-discuss-request@linuxsecurity.com The EnGarde distribution was designed from the ground up as a secure solution, starting with the principle of least privilege, and carrying it through every aspect of its implementation. * http://www.engardelinux.org +---------------------------------+ | slrn | ----------------------------// +---------------------------------+ The slrn package, a threaded news reader, is susceptible to remote command invocation in Progeny versions prior to 0.9.6.2-9potato2. Progeny: i386 http://archive.progeny.com/progeny/updates/newton/ 5efc319eb969c761dda2a26bfaf87110 slrn_0.9.6.2-9potato2_i386.deb 1b72b7ac4a8c495cc9c74b2f7b52e471 slrnpull_0.9.6.2-9potato2_i386.deb Progeny Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1625.html +---------------------------------+ | most | ----------------------------// +---------------------------------+ Pavel Machek found a buffer overflow in the "most" pager program. The problem is part of most's tab expansion where the program would write beyond the bounds two array variables when viewing a malicious file. This could lead into other data structures being overwritten, which in turn could enable "most" to execute arbitrary code being able to compromise the user's environment. Progeny: i386 http://archive.progeny.com/progeny/updates/newton/ most_4.9.2-1progeny1_i386.deb 8e26b5b97cf2654bbfd2027afdd25e88 Progeny Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1626.html +---------------------------------+ | uucp | ----------------------------// +---------------------------------+ zen-parse found a problem with Taylor UUCP as distributed with many Linux distributions. Due to incorrect argument handling in a component of the Taylor UUCP package, it is possible for local users to gain uid/gid uucp. Progeny: i386 http://archive.progeny.com/progeny/updates/newton/ 7f474134296bfeb6d03579f16843bd82 uucp_1.06.1-11potato1progeny2_i386.deb Progeny Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1627.html FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ patches/SA-01:62/uucp.patch FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1629.html +---------------------------------+ | squid | ----------------------------// +---------------------------------+ A remote attacker may use the squid server in order to issue requests to hosts that are otherwise inaccessible. Because the squid server processes these requests as HTTP requests, the attacker cannot send or retrieve arbitrary data. However, the attacker could use squid's response to determine if a particular port is open on a victim host. Therefore, the squid server may be used to conduct a port scan. FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/www/squid-2.3_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/www/squid-2.4_5.tgz FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1628.html +---------------------------------+ | Kernel: Mandrake 8.1 | ----------------------------// +---------------------------------+ Alexander Viro discovered a vulnerability in the devfs implementation that is shipped with Mandrake Linux 8.1. We are aware of the problem and are currently working on a solution. As a workaround, until an update becomes available, please boot with the devfs=nomount option. Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1630.html +---------------------------------+ | htdig | ----------------------------// +---------------------------------+ The htsearch CGI runs as both the CGI and as a command-line program. The command-line program accepts the -c [filename] to read in an alternate configuration file. On the other hand, no filtering is done to stop the CGI program from taking command-line arguments, so a remote user can force the CGI to stall until it times out (resulting in a DOS) or read in a different configuration file. PLEASE SEE VENDOR ADVISORY htdig Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1631.html Caldera: i386 ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/ Server/current/RPMS 33b12c381170e69267ffff170b5e7cdc RPMS/htdig-3.1.5-8.i386.rpm Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1632.html +---------------------------------+ | sendmail | ----------------------------// +---------------------------------+ There is a permission problem in the default setup of sendmail in all OpenLinux versions, which allows a local attacker to cause a denial of service attack effectively stopping delivery of all mails from the current system. Caldera: PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1633.html +---------------------------------+ | prold | ----------------------------// +---------------------------------+ ISS X-Force reported an overflow in BSD's lineprinter daemon shipped with the lprold package in SuSE Linux. Due to missing bounds checks in the lockfile processing function, internal buffers may overflow. Bounds checks have been added to fix that problem. Additionally the SuSE Security Team uncovered other security releated bugs in lpd while analyzing lpd source after receiving the X-Force advisory. These bugs allows users on machines listed in /etc/hosts.lpd or /etc/hosts.equiv to chown any file on the system running lpd to any user. In order to trigger any of the fixed bugs (including the overflow) the attackers machine must be listed in one of these two access-files and the attacker usually needs root on these machines due to the privileged-port requirement. i386 Intel Platform: SuSE-7.2 ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/l prold-3.0.48-272.i386.rpm 23b8251411a557563cb314102f405d31 SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1634.html +---------------------------------+ | zope | ----------------------------// +---------------------------------+ The updated packages include a "hotfix" product which addresses a security problem with DTML scripting, as described in the Hotfix_2001-09-28 README.txt file: "The issue involves the fmt attribute of dtml-var tags. Without this correction, Zope does not check security access to methods invoked through fmt. This issue could allow partially trusted users with enough knowledge of Zope to call, in a limited way, methods they would not otherwise be allowed to access." Red Hat: PLEASE SEE VENDOR ADVISORY FOR UPDATE Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1635.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------