Linux Advisory Watch - October 19th, 2001

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  October 19th, 2001                       Volume 2, Number 42a |
+----------------------------------------------------------------+
 
  Editors:     Dave Wreski                Benjamin Thomas
               dave@linuxsecurity.com     ben@linuxsecurity.com
 
 
Linux Advisory Watch is a comprehensive newsletter that outlinesthe
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
 
This week, advisories were released for w3m, xvt, procmail, zope, openssh,
openssl, until-linux, htdig, kernel, and apache.  The vendors include
Conectiva, Debian, Mandrake, Red Hat, and Trustix.

** FREE Apache SSL Guide from Thawte **
 
Planning Web Server Security? Find out how to implement SSL!  Get the free
Thawte Apache SSL Guide and find the answers to all your Apache SSL
security issues and more at:
 
http://www.gothawte.com/rd90.html 
 
 
Have you tried EnGarde Secure Linux?  The EnGarde Linux distribution was
designed from the ground up as a secure solution, starting with the
principle of least privilege, and carrying it through every aspect of its
implementation.http://www.engardelinux.org

Take advantage of our Linux Security discussion list!  This mailing list
is for general security-related questions and comments. To subscribe send
an e-mail to security-discuss-request@linuxsecurity.com with "subscribe"
as the subject.


+---------------------------------+
|  w3m                            | ----------------------------//
+---------------------------------+

In SNS Advisory No. 32 a buffer overflow vulnerability has been reported
in the routine which parses MIME headers that are returned from web
servers.  A malicious web server administrator could exploit this and let
the client web browser execute arbitrary code. W3m handles MIME headers
included in the request/response message of HTTP communication like any
other we bbrowser.  A buffer overflow will be occur when w3m receives a
MIME encoded header with base64 format

 Debian Intel ia32 architecture: 
 http://security.debian.org/dists/stable/updates/main/binary-i386 
 /w3m_0.1.10+0.1.11pre+kokb23-4_i386.deb 
 MD5 checksum: 7b811019f0f246338cbf438952358b54 

 http://security.debian.org/dists/stable/updates/main/binary-i386/ 
 w3m-ssl_0.1.10+0.1.11pre+kokb23-4_i386.deb 
 MD5 checksum: 07c9aa2738a22e4984c290657c71b79d  

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-1646.html 
  
  


+---------------------------------+
|  xvt                            | ----------------------------//
+---------------------------------+

Christophe Bailleux reported on bugtraq that Xvt is vulnerable to a buffer
overflow in its argument handling.  Since Xvt is installed setuid root, it
was possible for a normal user to pass carefully-crafted arguments to xvt
so that xvt executed a root shell


 Debian Intel ia32 architecture: 
 http://security.debian.org/dists/stable/updates/main/binary-i386/ 
 xvt_2.1-13.0potato.1_i386.deb 
 MD5 checksum: 3fe8465dac109969c871f264d847d467 

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-1647.html


  
+---------------------------------+
|  procmail                       | ----------------------------//
+---------------------------------+

Using older versions of procmail it was possible to make procmail crash by
sending it signals.  On systems where procmail is installed setuid this
could be exploited to obtain unauthorized privileges.

 Debian Intel ia32 architecture: 
 http://security.debian.org/dists/stable/updates/main/binary-i386/ 
 procmail_3.15.2-1_i386.deb 
 MD5 checksum: d7245b21110faf119e77705eaf724218 

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-1648.html


  

+---------------------------------+
|  zope                           | ----------------------------//
+---------------------------------+

"The issue involves the fmt attribute of dtml-var tags.  Without this
correction, Zope does not check security access to methods invoked through
fmt.  This issue could allow partially trusted users with enough knowledge
of Zope to call, in a limited way, methods they would not otherwise be
allowed to access."

 Mandrake: i386 
 PLEASE SEE VENDOR FOR UPDATE 

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-1636.html




+---------------------------------+
|  openssh                        | ----------------------------//
+---------------------------------+

In some circumstances, the sshd server may not honor the "from=" option
that can be associated with a key in a user's ~/.ssh/authorized_keys2 file
if multiple keys are listed.  This could allow key-based logins from hosts
which should not be allowed access.


 Mandrake: i386 
 PLEASE SEE VENDOR FOR UPDATE 

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-1637.html 


 Trustix:
 PLEASE SEE VENDOR ADVISORY FOR UPDATE

 Trustix Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-1641.html 
  
  
 Immunix:
 PLEASE SEE VENDOR ADVISORY FOR UPDATE

 Immunix: Vendor Advisory:
 http://www.linuxsecurity.com/advisories/other_advisory-1654.html



+---------------------------------+
|  openssl                        | ----------------------------//
+---------------------------------+

If a user lists multiple keys in her .ssh/authorized_keys2 file, sshd may
in some circumstances not honor the "from" option which can be associated
with a key, thereby allowing key-based logins from hosts which should not
be allowed access.

 Red Hat: i386 
 PLEASE SEE VENDOR ADVISORY 

 Red Hat Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/redhat_advisory-1638.html


  

+---------------------------------+
|  until-linux                    | ----------------------------//
+---------------------------------+

A problem existed in /bin/login's PAM implementation; it stored the value
of a static pwent buffer across PAM calls; when used with some PAM modules
in non-default configuration (such as pam_limits), it would overwrite the
buffer, causing a user to get credentials of another user.

 Red Hat: i386 
 ftp://updates.redhat.com/7.1/en/os/i386/ 
 util-linux-2.11f-11.7.1.i386.rpm 
 2bf1db1cadc50f783220f70aa2b7a09c 

 Red Hat Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/redhat_advisory-1638.html 
  

 Trustix: i386 
 http://www.trustix.net/pub/Trustix/updates/ 

 ./1.5/RPMS/util-linux-2.11f-6tr.i586.rpm 
 d96660d42ee2901c18577e26616cabdf 

 ./1.5/RPMS/mount-2.11f-6tr.i586.rpm 
 4a7a357bf1ad7e7999a39c508326b155 

 ./1.5/RPMS/losetup-2.11f-6tr.i586.rpm 
 94dc41a4acf854f7bfff2276393ccd04 

 Trustix Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-1642.html


  

+---------------------------------+
|  htdig                          | ----------------------------//
+---------------------------------+

A malicious user could point htsearch to a file like `/dev/zero' and let
the server run in an endless loop, trying to read config parameters.  If
the user has write permission on the server he can point the program to it
and retrive any file readable by the webserver user id.
  

 Mandrake Intel ia32 architecture: 
 http://security.debian.org/dists/stable/updates/main/binary-i386/ 
 htdig_3.1.5-2.0potato.1_i386.deb 
 MD5 checksum: 77befd19641a294cb0a47b72aa15e91c  

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-1640.html 


  
+---------------------------------+
|  kernel                         | ----------------------------//
+---------------------------------+

There are two bugs present in Linux kernels 2.2.x, x<=19 and 2.4.y, y<=9.
The first vulnerability results in local DoS. The second one, involving
ptrace, can be used to gain root privileges locally (in case of default
install of most popular distributions). Linux 2.0.x is not vulnerable to
the ptrace bug mentioned.

 Kernel Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-1643.html 

 Openwall Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-1644.html

 EnGarde:
 PLEASE SEE VENDOR ADVISORY

 EnGarde Vendor Advisory:
 http://www.linuxsecurity.com/advisories/other_advisory-1650.html


 Caldera:
 PLEASE SEE VENDOR ADVISORY

 Caldera Vendor Advisory:
 http://www.linuxsecurity.com/advisories/caldera_advisory-1652.html


 Trustix:
 PLEASE SEE VENDOR ADVISORY

 Trustix Vendor Advisory:
 http://www.linuxsecurity.com/advisories/other_advisory-1653.html




+---------------------------------+
|  apache                         | ----------------------------//
+---------------------------------+

A intentionally malformed Host: header could allow any file with a .log
extention to be overwritten due to a problem in the split-logfile script.
Conectiva Linux does not ship split-logfile, but users who may have
installed this script manually are thus advised to check their systems for
this vulnerability. [1] When Multiviews are used to negotiate the
directory index, under certain conditions a request for the URI /?M=D
could return a directory listing rather than negotiated content. [2] [3]

 Conectiva: 
 ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/ 
 apache-1.3.22-U70_1cl.src.rpm 
 ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ 
 apache-1.3.22-U70_1cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ 
 apache-devel-1.3.22-U70_1cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/7.0/RPMS/a 
 pache-doc-1.3.22-U70_1cl.i386.rpm 

 Conectiva Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-1645.html


 EnGarde:
 i386/apache-1.3.22-1.0.26.i386.rpm
 MD5 Sum:  96572199eee00807d35b8c78d1fcc011

 i686/apache-1.3.22-1.0.26.i686.rpm
 MD5 Sum:  17a01bce42ad8d34ec4e87ef2949fc90


 ftp://ftp.engardelinux.org/pub/engarde/stable/updates/

 EnGarde Vendor Advisory:
 http://www.linuxsecurity.com/advisories/other_advisory-1649.html     




+---------------------------------+
|  xinetd                         | ----------------------------//
+---------------------------------+

Solar Designer did an audit of xinetd 2.3.0 and came up with a list of
potential vulnerabilities.  This release fixes all known vulnerabilities
as a precautionary measure.  Most of these fixes are in the interest of
robustness and are not known to be exploitable at this time.


 EnGarde:
 i386/xinetd-2.3.3-1.0.19.i386.rpm
 MD5 Sum:  41c24df4e59ae3e3e6a6fe5db4d1f64d

 i686/xinetd-2.3.3-1.0.19.i686.rpm
 MD5 Sum:  76df066a15dbc80456203bb4e945eaa0


 ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ 

 EnGarde Vendor Advisory:
 http://www.linuxsecurity.com/advisories/other_advisory-1651.html
     


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux