+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | January 11th, 2002 Volume 3, Number 2a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for exim, libgtop, mutt, pkg_install, pw, pine, mod_auth_pgsql, bind, proftpd, LIDS, stunnel, and namazu. The vendors include Conectiva, Debian, FreeBSD, Mandrake, Red Hat, SuSE, and Trustix. ** FREE SSL Guide from Thawte - Are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://www.gothawte.com/rd175.html Why be vulnerable? Its your choice. - Are you looking for a solution that provides the applications necessary to easily create thousands of virtual Web sites, manage e-mail, DNS, firewalling database functions for an entire organization, and supports high-speed broadband connections all using a Web-based front-end? EnGarde Secure Professional provides those features and more! Want to learn more? http://store.guardiandigital.com/html/eng/493-AA.shtml +---------------------------------+ | exim | ----------------------------// +---------------------------------+ This problem has been fixed in Exim version 3.12-10.2 for the stable distribution Debian GNU/Linux 2.2 and 3.33-1.1 for the testing and unstable distribution. We recommend that you upgrade your exim package. Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/exim_3.12-10.2_i386.deb MD5 checksum: d5a2fc41c32504d9982416fbabc53629 http://security.debian.org/dists/stable/updates/main/ binary-i386/eximon_3.12-10.2_i386.deb MD5 checksum: 02ed4af9505089b21ccbe2d3391c4e51 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1776.html Red Hat: PLEASE SEE VENDOR ADVISORY Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1792.html +---------------------------------+ | libgtop | ----------------------------// +---------------------------------+ The laboratory intexxia found a format string problem in the logging code from libgtop_daemon. There were two logging functions which are called when authorizing a client which could be exploited by a remote user. Debian Intel IA-32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386 /libgtop-daemon_1.0.6-1.1_i386.deb MD5 checksum: 169c014d0fff9d24045ed733fb26aacc http://security.debian.org/dists/stable/updates/main/binary-i386/ libgtop-dev_1.0.6-1.1_i386.deb MD5 checksum: 9ed2aea64be71cf4c4e5dc6274d9c774 http://security.debian.org/dists/stable/updates/main/binary-i386/ libgtop1_1.0.6-1.1_i386.deb MD5 checksum: 321badb855ed000452f0180a2e557388 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1787.html Trustix: http://www.trustix.net/pub/Trustix/updates/ ./1.5/RPMS/mutt-1.2.5i.1-1tr.i586.rpm a0181fdebd24a64cec3ab62949a8cdc4 Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1784.html +---------------------------------+ | pkg_install | ----------------------------// +---------------------------------+ A local attacker may be able to modify the package contents and potentially elevate privileges or otherwise compromise the system. There are no known exploits as of the date of this advisory. FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:01/ pkg_add.patch FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1778.html +---------------------------------+ | pw | ----------------------------// +---------------------------------+ A local attacker can read the temporary file created by pw(8) and use the encrypted passwords to conduct an off-line dictionary attack. A successful attack would result in the recovery of one or more passwords. Because the temporary file is short-lived (it is removed almost immediately after creation), this can be difficult to exploit: an attacker must `race' to read the file before it is removed. FreeBSD: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:02/pw.patch FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1779.html +---------------------------------+ | mutt | ----------------------------// +---------------------------------+ An attacker may send an email message with a specially crafted email address in any of several message headers to the victim. When the victim reads the message using mutt and encounters that email address, the buffer overflow is triggered and may result in arbitrary code being executed with the privileges of the victim. FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ mail/mutt-1.2.5_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ mail/mutt-devel-1.3.24_2.tgz FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1780.html Updated FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1781.html Conectiva: ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ mutt-doc-1.3.17-8U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ mutt-help-1.3.17-8U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ mutt-1.3.17-8U70_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1786.html Red Hat 7.2: i386: ftp://updates.redhat.com/7.2/en/os/i386/mutt-1.2.5.1-1.i386.rpm d362ea15a13e305e1e9a360715c55fee Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1790.html Slackware: Slackware Vendor Advisory: http://www.linuxsecurity.com/advisories/slackware_advisory-1788.html SuSE: SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1785.html Debian Sun Sparc architecture: http://security.debian.org/dists/stable/updates/main/ binary-sparc/mutt_1.2.5-5_sparc.deb MD5 checksum: 8bb33cd0efac0aeb345e87d58188e905 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1777.html +---------------------------------+ | pine | ----------------------------// +---------------------------------+ An attacker can supply commands enclosed in single quotes ('') in a URL embedded in a message sent to the victim. If the user then decides to view the URL, PINE will launch a command shell which will then execute the attacker's commands with the victim's privileges. It is possible to obfuscate the URL so that it will not necessarily seem dangerous to the victim. FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/mail/pine-4.43.tgz FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1782.html FreeBSD Advisory Update: http://www.linuxsecurity.com/advisories/freebsd_advisory-1797.html +---------------------------------+ | mod_auth_pgsql | ----------------------------// +---------------------------------+ A remote user may insert arbitrary SQL code into the username during authentication, leading to several exploit opportunities. In particular, the attacker may cause mod_auth_pgsql to use a known fixed password hash for user verification, allowing him to authenticate as any user and obtain unauthorized access to web server data. FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current /www/mod_auth_pgsql-0.9.9.tgz FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1783.html +---------------------------------+ | bind | ----------------------------// +---------------------------------+ There are some insecure permissions on configuration files and executables with the bind 9.x packages shipped with Mandrake Linux 8.0 and 8.1. This update provides stricter permissions by making the /etc/rndc.conf and /etc/rndc.key files read/write by the named user and by making /sbin/rndc-confgen and /sbin/rndc read/write/executable only by root. Mandrake Linux 8.0: http://www.mandrakesecure.net/en/ftp.php 8.0/RPMS/bind-9.1.1-1.1mdk.i586.rpm a086335b56151269c252428df794e154 8.0/RPMS/bind-devel-9.1.1-1.1mdk.i586.rpm 080d61511f43ecbfc07809221e0e70b7 8.0/RPMS/bind-utils-9.1.1-1.1mdk.i586.rpm 05ba599912dd98bdc328c715c4ebdf81 Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1794.html +---------------------------------+ | proftpd | ----------------------------// +---------------------------------+ ProFTPD was not forward resolving reverse-resolved hostnames. A remote attacker could explore this vulnerability[1] to bypass ProFTPD access control lists or have false information (client hostname) logged. It was discovered by Matthew S. Hallacy Conectiva: ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ proftpd-1.2.5rc1-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ proftpd-doc-1.2.5rc1-1U70_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1793.html +---------------------------------+ | LIDS | ----------------------------// +---------------------------------+ The use of LD_PRELOAD can make a program with privileges given by LIDS execute attackers code. This mean that a root intruder can get every capability or fs access you configured LIDS to grant. Moreover, if you granted CAP_SYS_RAWIO or CAP_SYS_MODULE to a program, an attacker could deactivate LIDS and thus, access any file. PLEASE SEE LIDS ADVISORY LIDS Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1795.html +---------------------------------+ | stunnel | ----------------------------// +---------------------------------+ Updated stunnel packages are now available for Red Hat Linux 7.2. These updates close a format-string vulnerability which is present in some earlier versions of stunnel. Red Hat 7.2: i386: ftp://updates.redhat.com/7.2/en/os/i386/stunnel-3.22-1.i386.rpm b62a3f6c4418550873602147697213b0 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1791.html +---------------------------------+ | namazu | ----------------------------// +---------------------------------+ Namazu is a full-text search engine. Namazu 2.0.9 and earlier may inadvertently include malicious HTML tags or scripts in a dynamically generated page, based on unvalidated input from untrustworthy sources. Also, a buffer overflow vulnerability exists in the buffer size of an environment variable. Red Hat 7.0J i386: ftp://updates.redhat.com/7.0/ja/os/i386 /namazu-2.0.10-0j1.i386.rpm ftp://updates.redhat.com/7.0/ja/os/i386/ namazu-devel-2.0.10-0j1.i386.rpm ftp://updates.redhat.com/7.0/ja/os/i386/ namazu-cgi-2.0.10-0j1.i386.rpm Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1796.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------