+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | January 11th, 2002 Volume 3, Number 3a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for imp, horde, x-chat, gzip, glibc, cipe, sudo, at, stunnel, NetBSD kernel, slashcode, pine, lids, groff, bugzilla, and uuxqt. The vendors include Caldera, Conectiva, Debian, EnGarde, Mandrake, NetBSD, Red Hat, Slackware, and SuSE. FREE Apache SSL Guide from Thawte Certification - Do your online customers demand the best available protection of their personal information? Thawte's guide explains how to give this to your customers by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide http://www.gothawte.com/rd176.html Why be vulnerable? Its your choice. - Are you looking for a solution that provides the applications necessary to easily create thousands of virtual Web sites, manage e-mail, DNS, firewalling database functions for an entire organization, and supports high-speed broadband connections all using a Web-based front-end? EnGarde Secure Professional provides those features and more! Save 10% and Free Shipping on all Guardian Digital Secure Servers! http://store.guardiandigital.com +---------------------------------+ | imp / horde | ----------------------------// +---------------------------------+ The webmail frontend IMP has a cross site scripting problem, allowing a remote attacker to send you an E-mail with a malformed URL that when clicked on will open your mail session to the attacker, allowing him to read and delete your E-mails. Caldera OpenLinux: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS RPMS/horde-1.2.7-1.i386.rpm 53a9d75c760851f79fa72cb451416f96 RPMS/imp-2.2.7-1.i386.rpm 4bb1af4dcd98af6f168543476f691b95 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1798.html +---------------------------------+ | X-Chat | ----------------------------// +---------------------------------+ It is possible to trick XChat IRC clients into sending arbitrary commands to the IRC server they are on, potentially allowing social engineering attacks, channel takeovers, and denial of service. This problem exists in versions 1.4.2 and 1.4.3. Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ xchat-gnome_1.4.3-1_i386.deb MD5 checksum: 2eb90d6a77af6c2475a976d282d76377 http://security.debian.org/dists/stable/updates/main/ binary-i386/xchat-text_1.4.3-1_i386.deb MD5 checksum: 9701ca60219d4ac8981293763474f14c http://security.debian.org/dists/stable/updates/main/ binary-i386/xchat_1.4.3-1_i386.deb MD5 checksum: 1a45ebe67bd4b495cbbd9b9e1517239e XChat Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1802.html +---------------------------------+ | gzip | ----------------------------// +---------------------------------+ GOBBLES found a buffer overflow in gzip that occurs when compressing files with really long filenames. Even though GOBBLES claims to have developed an exploit to take advantage of this bug, it has been said by others that this problem is not likely to be exploitable as other security incidents. Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/gzip_1.2.4-33.1_i386.deb MD5 checksum: b61176ee1953b528e50268995e6c2505 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1803.html +---------------------------------+ | glibc | ----------------------------// +---------------------------------+ A buffer overflow has been found in the globbing code for glibc. This code which is used to glob patterns for filenames and is commonly used in applications like shells and FTP servers. PLEASE SEE VENDOR ADVISORY Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1804.html Slackware Vendor Advisory: http://www.linuxsecurity.com/advisories/slackware_advisory-1800.html +---------------------------------+ | cipe | ----------------------------// +---------------------------------+ Larry McVoy found a bug in the packet handling code for the CIPE VPN package: it did not check if a received packet was too short and could crash. Debian Architecture independent archives: http://security.debian.org/dists/stable/updates/main/ binary-all/cipe-common_1.3.0-3_all.deb MD5 checksum: bbfe46765a76bce4f4ce6f9855eee717 http://security.debian.org/dists/stable/updates/main/ binary-all/cipe-source_1.3.0-3_all.deb MD5 checksum: c380864ae382aff742f08869f89848f6 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1805.html +---------------------------------+ | sudo | ----------------------------// +---------------------------------+ Sebastian Krahmer from SuSE found a vulnerability in sudo which could easily lead into a local root exploit. This problem has been fixed in upstream version 1.6.4 as well as in version 1.6.2p2-2.1 for the stable release of Debian GNU/Linux. Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/sudo_1.6.2p2-2.1_i386.deb MD5 checksum: 793c815263a64e63108628ed31537dfe Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1807.html Mandrake 8.0: http://www.mandrakesecure.net/en/ftp.php 8.0/RPMS/sudo-1.6.4-1.1mdk.i586.rpm 6485ad4e345eb0e4920f856d65808235 Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1816.html NetBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/security/sudo-1.6.4.1.tgz NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-1827.html EnGarde sudo: i386/sudo-1.6.4-1.0.6.i386.rpm MD5 Sum: 83fceade44a6d263647653351c2acade i686/sudo-1.6.4-1.0.6.i686.rpm MD5 Sum: 8b8c9344cbc950cd9fd4f2fc1c3136f8 EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1809.html Conectiva: ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ sudo-1.6.4p1-1U70_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ sudo-doc-1.6.4p1-1U70_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1813.html SuSE i386 Intel Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/ ap1/sudo-1.6.3p7-71.i386.rpm b98f00f761274530bfad3486253bed53 SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1806.html Red Hat i386: ftp://updates.redhat.com/7.2/en/os/i386/ sudo-1.6.4-0.7x.2.i386.rpm Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1812.html +---------------------------------+ | at | ----------------------------// +---------------------------------+ zen-parse found a bug in the current implementation of at which leads into a heap corruption vulnerability which in turn could potentially lead into an exploit of the daemon user. Debain Intel ia32 architecture: http://security.debian.org/dists/stable/updates/ main/binary-i386/at_3.1.8-10.1_i386.deb MD5 checksum: 8af8ea462718b6bee748b2a809834d2e Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1818.html i386 Intel Platform: SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/ 7.3/ap1/at-3.1.8-459.i386.rpm db3d2bd38f81667dcece38d1c4a86725 SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1817.html +---------------------------------+ | stunnel | ----------------------------// +---------------------------------+ All versions of stunnel from 3.15 to 3.21c are vulnerable to format string bugs in the functions which implement smtp, pop, and nntp client negotiations. Using stunnel with the "-n service" option and the "-c" client mode option, a malicious server could use the format sting vulnerability to run arbitrary code as the owner of the current stunnel process. Version 3.22 is not vulnerable to this bug. http://www.mandrakesecure.net/en/ftp.php Mandrake Linux 8.1: 8.1/RPMS/stunnel-3.22-1.1mdk.i586.rpm 08204f11728f2c6b6152de9ebb562ac5 8.1/SRPMS/stunnel-3.22-1.1mdk.src.rpm e85fbd3435759fa7b94bb5c371738b30 Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1828.html +---------------------------------+ | netbsd-kernel | ----------------------------// +---------------------------------+ A process could exec a setuid binary, while gaining ptrace control over it for a short period before the process was activated. The ptrace controller process could then modify the address space of the controlled process and abuse its elevated privileges. PLEASE SEE VENDOR ADVISORY NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-1826.html +---------------------------------+ | slashcode | ----------------------------// +---------------------------------+ Slash, the code that runs Slashdot and many other web sites, has a vulnerability in recent versions that allows any logged-in user to log in as any other user. This allows users to take nearly full control of a Slash system (post and delete stories, posting stories, edit users, post as other users, etc., and do anything that a Slash user can do) by logging in to an adminstrator's Slash account. PLEASE SEE VENDOR ADVISORY Slashcode Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1799.html +---------------------------------+ | pine | ----------------------------// +---------------------------------+ There is a vulnerability in pine which can allow an attacker to execute arbitrary commands on a victims machine by sending them a specially-crafted URL which is then mishandled by pine's URL handling code. EnGarde: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ i386/pine-4.33-1.0.6.i386.rpm MD5 Sum: 4b1d60e1e7ccb3a8a511db42877f0b15 i686/pine-4.33-1.0.6.i686.rpm MD5 Sum: 995ed060b84adb05b5b274d353becd91 EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1810.html Slackware Updated pine package for Slackware 8.0: ftp://ftp.slackware.com/pub/slackware/ slackware-8.0/patches/packages/pine.tgz Slackware Vendor Advisory: http://www.linuxsecurity.com/advisories/slackware_advisory-1801.html +---------------------------------+ | lids | ----------------------------// +---------------------------------+ Recently there were several local vulnerabilities discovered in the LIDS system used by EnGarde Secure Linux which could allow an attacker to gain root, and even disable LIDS completely. EnGarde: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ PLEASE SEE VENDOR ADVISORY EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1811.html +---------------------------------+ | groff | ----------------------------// +---------------------------------+ New groff packages have been made available that fix an overflow in groff. If the printing system running this is a security issue, it is recommended to update to the new, fixed packages. Red Hat i386: 7.2 ftp://updates.redhat.com/7.2/en/os/i386/ groff-1.17.2-7.0.2.i386.rpm f3181dd6c32ffc9478721244b77c89af Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1808.html +---------------------------------+ | bugzilla | ----------------------------// +---------------------------------+ This new version fixes several security issues discovered since version 2.14 was released, which are too serious to wait for the upcoming 2.16 release. Red Hat Powertools 7.1: noarch: ftp://updates.redhat.com/7.1/en/powertools/noarch/ bugzilla-2.14.1-2.noarch.rpm dd9607075ee2e4186f153b5587fb8ec0 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1814.html +---------------------------------+ | uuxqt | ----------------------------// +---------------------------------+ uuxqt in Taylor UUCP package does not properly remove dangerous long options, which allows local users to gain uid and gid uucp privileges by calling uux and specifying an alternate configuration file with the --config option. Red Hat Linux 7.2: i386: ftp://updates.redhat.com/7.2/en/os/i386/ uucp-1.06.1-32.i386.rpm Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1829.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------