+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | October 19th, 2001 Volume 2, Number 42a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlinesthe security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for w3m, xvt, procmail, zope, openssh, openssl, until-linux, htdig, kernel, and apache. The vendors include Conectiva, Debian, Mandrake, Red Hat, and Trustix. ** FREE Apache SSL Guide from Thawte ** Planning Web Server Security? Find out how to implement SSL! Get the free Thawte Apache SSL Guide and find the answers to all your Apache SSL security issues and more at: http://www.gothawte.com/rd90.html Have you tried EnGarde Secure Linux? The EnGarde Linux distribution was designed from the ground up as a secure solution, starting with the principle of least privilege, and carrying it through every aspect of its implementation.http://www.engardelinux.org Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject. +---------------------------------+ | w3m | ----------------------------// +---------------------------------+ In SNS Advisory No. 32 a buffer overflow vulnerability has been reported in the routine which parses MIME headers that are returned from web servers. A malicious web server administrator could exploit this and let the client web browser execute arbitrary code. W3m handles MIME headers included in the request/response message of HTTP communication like any other we bbrowser. A buffer overflow will be occur when w3m receives a MIME encoded header with base64 format Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386 /w3m_0.1.10+0.1.11pre+kokb23-4_i386.deb MD5 checksum: 7b811019f0f246338cbf438952358b54 http://security.debian.org/dists/stable/updates/main/binary-i386/ w3m-ssl_0.1.10+0.1.11pre+kokb23-4_i386.deb MD5 checksum: 07c9aa2738a22e4984c290657c71b79d Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1646.html +---------------------------------+ | xvt | ----------------------------// +---------------------------------+ Christophe Bailleux reported on bugtraq that Xvt is vulnerable to a buffer overflow in its argument handling. Since Xvt is installed setuid root, it was possible for a normal user to pass carefully-crafted arguments to xvt so that xvt executed a root shell Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ xvt_2.1-13.0potato.1_i386.deb MD5 checksum: 3fe8465dac109969c871f264d847d467 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1647.html +---------------------------------+ | procmail | ----------------------------// +---------------------------------+ Using older versions of procmail it was possible to make procmail crash by sending it signals. On systems where procmail is installed setuid this could be exploited to obtain unauthorized privileges. Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ procmail_3.15.2-1_i386.deb MD5 checksum: d7245b21110faf119e77705eaf724218 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1648.html +---------------------------------+ | zope | ----------------------------// +---------------------------------+ "The issue involves the fmt attribute of dtml-var tags. Without this correction, Zope does not check security access to methods invoked through fmt. This issue could allow partially trusted users with enough knowledge of Zope to call, in a limited way, methods they would not otherwise be allowed to access." Mandrake: i386 PLEASE SEE VENDOR FOR UPDATE Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1636.html +---------------------------------+ | openssh | ----------------------------// +---------------------------------+ In some circumstances, the sshd server may not honor the "from=" option that can be associated with a key in a user's ~/.ssh/authorized_keys2 file if multiple keys are listed. This could allow key-based logins from hosts which should not be allowed access. Mandrake: i386 PLEASE SEE VENDOR FOR UPDATE Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1637.html Trustix: PLEASE SEE VENDOR ADVISORY FOR UPDATE Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1641.html Immunix: PLEASE SEE VENDOR ADVISORY FOR UPDATE Immunix: Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1654.html +---------------------------------+ | openssl | ----------------------------// +---------------------------------+ If a user lists multiple keys in her .ssh/authorized_keys2 file, sshd may in some circumstances not honor the "from" option which can be associated with a key, thereby allowing key-based logins from hosts which should not be allowed access. Red Hat: i386 PLEASE SEE VENDOR ADVISORY Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1638.html +---------------------------------+ | until-linux | ----------------------------// +---------------------------------+ A problem existed in /bin/login's PAM implementation; it stored the value of a static pwent buffer across PAM calls; when used with some PAM modules in non-default configuration (such as pam_limits), it would overwrite the buffer, causing a user to get credentials of another user. Red Hat: i386 ftp://updates.redhat.com/7.1/en/os/i386/ util-linux-2.11f-11.7.1.i386.rpm 2bf1db1cadc50f783220f70aa2b7a09c Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1638.html Trustix: i386 http://www.trustix.net/pub/Trustix/updates/ ./1.5/RPMS/util-linux-2.11f-6tr.i586.rpm d96660d42ee2901c18577e26616cabdf ./1.5/RPMS/mount-2.11f-6tr.i586.rpm 4a7a357bf1ad7e7999a39c508326b155 ./1.5/RPMS/losetup-2.11f-6tr.i586.rpm 94dc41a4acf854f7bfff2276393ccd04 Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1642.html +---------------------------------+ | htdig | ----------------------------// +---------------------------------+ A malicious user could point htsearch to a file like `/dev/zero' and let the server run in an endless loop, trying to read config parameters. If the user has write permission on the server he can point the program to it and retrive any file readable by the webserver user id. Mandrake Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ htdig_3.1.5-2.0potato.1_i386.deb MD5 checksum: 77befd19641a294cb0a47b72aa15e91c Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1640.html +---------------------------------+ | kernel | ----------------------------// +---------------------------------+ There are two bugs present in Linux kernels 2.2.x, x<=19 and 2.4.y, y<=9. The first vulnerability results in local DoS. The second one, involving ptrace, can be used to gain root privileges locally (in case of default install of most popular distributions). Linux 2.0.x is not vulnerable to the ptrace bug mentioned. Kernel Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1643.html Openwall Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1644.html EnGarde: PLEASE SEE VENDOR ADVISORY EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1650.html Caldera: PLEASE SEE VENDOR ADVISORY Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1652.html Trustix: PLEASE SEE VENDOR ADVISORY Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1653.html +---------------------------------+ | apache | ----------------------------// +---------------------------------+ A intentionally malformed Host: header could allow any file with a .log extention to be overwritten due to a problem in the split-logfile script. Conectiva Linux does not ship split-logfile, but users who may have installed this script manually are thus advised to check their systems for this vulnerability. [1] When Multiviews are used to negotiate the directory index, under certain conditions a request for the URI /?M=D could return a directory listing rather than negotiated content. [2] [3] Conectiva: ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/ apache-1.3.22-U70_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ apache-1.3.22-U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ apache-devel-1.3.22-U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/a pache-doc-1.3.22-U70_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1645.html EnGarde: i386/apache-1.3.22-1.0.26.i386.rpm MD5 Sum: 96572199eee00807d35b8c78d1fcc011 i686/apache-1.3.22-1.0.26.i686.rpm MD5 Sum: 17a01bce42ad8d34ec4e87ef2949fc90 ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1649.html +---------------------------------+ | xinetd | ----------------------------// +---------------------------------+ Solar Designer did an audit of xinetd 2.3.0 and came up with a list of potential vulnerabilities. This release fixes all known vulnerabilities as a precautionary measure. Most of these fixes are in the interest of robustness and are not known to be exploitable at this time. EnGarde: i386/xinetd-2.3.3-1.0.19.i386.rpm MD5 Sum: 41c24df4e59ae3e3e6a6fe5db4d1f64d i686/xinetd-2.3.3-1.0.19.i686.rpm MD5 Sum: 76df066a15dbc80456203bb4e945eaa0 ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1651.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------