+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| January 25th, 2002 Volume 3, Number 4a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for enscript, icecast-server, at,
k5su, FreeBSD kernel, Red Hat kernel, jmcce, groff, sudo, gzip, x-chat,
mysql, exim, openldap, openssh, and wu-ftp. The vendors include
Conectiva, Debian, FreeBSD, Immunix, Mandrake, Red Hat, Slackware,
Trustix, and TurboLinux.
*** FREE Apache SSL Guide from Thawte - Are you worried about your web
server security? Click here to get a FREE Thawte Apache SSL Guide and
find the answers to all your Apache SSL security needs.
http://www.gothawte.com/rd177.html
Why be vulnerable? Its your choice. - Are you looking for a solution that
provides the applications necessary to easily create thousands of virtual
Web sites, manage e-mail, DNS, firewalling database functions for an
entire organization, and supports high-speed broadband connections all
using a Web-based front-end? EnGarde Secure Professional provides those
features and more!
http://store.guardiandigital.com
Save 10% and Free Shipping on all Guardian Digital Secure Servers!
http://store.guardiandigital.com/html/eng/static/server.html
+---------------------------------+
| enscript | ----------------------------//
+---------------------------------+
The version of enscript (a tool to convert ASCII text to different
formats) has been found to create temporary files insecurely.
Debian Intel IA-32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/enscript_1.6.2-4.1_i386.deb
MD5 checksum: 6eb940c410f2363a35fc0ba29bd03e6b
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1840.html
Red Hat i386:
ftp://updates.redhat.com/7.2/en/os/i386/
enscript-1.6.1-16.2.i386.rpm
60c482286d2eaa7a48b707cfad323c50
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1839.html
+---------------------------------+
| icecast-server | ----------------------------//
+---------------------------------+
In Debian Security Advisory DSA-089-1 we reported that icecast-server has
several security problems. For details please see that advisory. The i386
package mention in the DSA-089-1 advisory was incorrectly compiled and
will not run on Debian GNU/Linux potato machines. This has been corrected
in version 1.3.10-1.1.
Debian Intel IA-32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/icecast-server_1.3.10-1.1_i386.deb
MD5 checksum: 6777c4acf5c95daf691597ed5b9ee502
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1841.html
+---------------------------------+
| at | ----------------------------//
+---------------------------------+
Basically, this is the same Security Advisory as DSA 102-1, except that
the uploaded binary packages really fix the problem this time.
Unfortunately the bugfix from DSA 102-1 wasn't propagated properly due to
a packaging bug. While the file parsetime.y was fixed, and yy.tab.c
should be generated from it, yy.tab.c from the original source was still
used. This has been fixed now.
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/at_3.1.8-10.2_i386.deb
MD5 checksum: 3bd377404b28aafe13d9f4640fa82daf
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1837.html
Mandrake Linux 8.1:
http://www.mandrakesecure.net/en/ftp.php
8.1/RPMS/at-3.1.8-4.1mdk.i586.rpm
066814fda6dfc8f74721861a90c1d167
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1838.html
Red Hat i386:
ftp://updates.redhat.com/7.2/en/os/i386/
at-3.1.8-23.i386.rpm
ea793fd803f10c8fa66abb8191fefb9b
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1844.html
Updated packages for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/
patches/packages/at.tgz
Slackware Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-1843.html
+---------------------------------+
| k5su | ----------------------------//
+---------------------------------+
The setlogin system call, the use of which is restricted to the superuser,
is used to associate a user name with a login session. The getlogin
system call is used to retrieve that user name. The setlogin system call
is typically used by applications such as login and sshd.
FreeBSD:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:07/k5su.patch
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1849.html
+---------------------------------+
| FreeBSD kernel | ----------------------------//
+---------------------------------+
A race condition exists in the FreeBSD exec system call implementation.
It is possible for a user to attach a debugger to a process while it is
exec'ing, but before the kernel has determined that the process is
set-user-ID or set-group-ID.
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/
SA-02:08/security-patch-exec-02.08.tgz
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1850.html
+---------------------------------+
| jmcce | ----------------------------//
+---------------------------------+
A problem exists in the jmcce program that is used for Chinese text on the
console. jmcce is installed setuid root and places log files in /tmp;
because jmcce does not perform suitable checking on the files it writes to
and because it uses a predictable logfile name, an attacker could exploit
this to arbitrarily overwrite any file on the system.
Mandrake Linux 8.1:
http://www.mandrakesecure.net/en/ftp.php
8.1/RPMS/jmcce-1.3-9.1mdk.i586.rpm
fd002f1c3d0a054f51815734c3affa07
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1842.html
+---------------------------------+
| groff | ----------------------------//
+---------------------------------+
Various security issues have been fixed with this release. The new
upstream version is 1.17.2, and its patched against the pic-bug among
other.
Trustix:
http://www.trustix.net/pub/Trustix/updates/
./1.5/RPMS/groff-perl-1.17.2-1tr.i586.rpm
37d4d41e94f8576a3e8f4c3c0563fc5f
./1.5/RPMS/groff-1.17.2-1tr.i586.rpm
5884e2378768596171f62343ce20ecca
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1835.html
+---------------------------------+
| sudo | ----------------------------//
+---------------------------------+
The old sudo package contined a possible local root exploit by which an
attacker could trick sudo into logging failed sudo calls and thereby
executing the postfix MTA with root privilegs and environment that was not
completely clean. The problem has been fixed upstream.
Trustix:
http://www.trustix.net/pub/Trustix/updates/
./1.5/RPMS/sudo-1.6.5p1-2tr.i586.rpm
05c7479176ea6ee63bbab31cfdb510d8
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1836.html
Immunix OS 7.0 md5sums:
RPMS/sudo-1.6.5p1-1_imnx.i386.rpm
0e41c0231a226417cf0c5e0d009ac4fe
Immunix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1830.html
Updated packages for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/s
lackware-8.0/patches/packages/sudo.tgz
Slackware Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-1843.html
+---------------------------------+
| gzip | ----------------------------//
+---------------------------------+
From the gzip homepage: "gzip 1.2.4 may crash when an input file name is
too long (over 1020 characters). The buffer overflow may be exploited if
gzip is run by a server such as an ftp server. Some ftp servers allow
compression and decompression on the fly and are thus vulnerable."
Trustix:
http://www.trustix.net/pub/Trustix/updates/
./1.5/RPMS/gzip-doc-1.2.4a-18tr.i586.rpm
ac9998f2c41b86218988d945c0c2921a
./1.5/RPMS/gzip-1.2.4a-18tr.i586.rpm
46ff7a81657e3818edf36590c7ed39e8
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1834.html
+---------------------------------+
| x-chat | ----------------------------//
+---------------------------------+
zen-parse discovered[1] a vulnerability in the xchat CTCP PING handler
which could be exploited by an attacker to trick the xchat IRC user into
sending arbitrary IRC commands to the server (a typical example is a
command to give channel operator status to the attacker).
Conectiva:
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
xchat-1.8.7-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
xchat-gtk-1.8.7-1U70_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1831.html
Updated packages for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/
slackware-8.0/patches/packages/xchat.tgz
Slackware Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-1843.html
+---------------------------------+
| MySQL | ----------------------------//
+---------------------------------+
The package shipped with Conectiva Linux 6.0 and older logs by default all
queries made to the database to the /var/log/mysql file. This includes
user creation, password changes via SQL commands and other queries. Our
package incorrectly leaves the permissions of this file as world-readable
(0644), thus allowing any user on the system access to potentially
sensitive information.
Conectiva:
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
MySQL-3.23.36-14U60_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1833.html
+---------------------------------+
| exim | ----------------------------//
+---------------------------------+
Versions prior do 3.34 have a vulnerability[1] which can be used by a
remote attacker to execute arbitrary commands on the server under certain
conditions.
Conectiva:
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
exim-3.22-9U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
exim-config-samples-3.22-9U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
exim-doc-3.22-9U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/
exim-mon-3.22-9U70_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1832.html
+---------------------------------+
| openldap | ----------------------------//
+---------------------------------+
Updated OpenLDAP packages are now available for Red Hat Linux 7, 7.1, and
7.2. These updates resolve a vulnerability which would allow users to
remove non-mandatory attributes from any object in a directory.
PLEASE SEE VENDOR ADVISORY
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1845.html
+---------------------------------+
| Red Hat kernel | ----------------------------//
+---------------------------------+
It is recommended that users running older 2.2 kernels on Red Hat Linux
6.2 or 7 upgrade to the latest available errata kernel, which includes a
fix for this problem. The Common Vulnerabilities and exposures project
(cve.mitre.org) has assigned the name CAN-2002-0046 to this issue.
PLEASE SEE VENDOR ADVISORY
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1848.html
+---------------------------------+
| openssh | ----------------------------//
+---------------------------------+
If the UseLogin feature is enabled in ssh local users could pass
environment variables to the login process. A user can gain root
privileges.
TurboLinux:
PLEASE SEE VENDOR ADVISORY
TurboLinux Vendor Advisory:
http://www.linuxsecurity.com/advisories/turbolinux_advisory-1846.html
+---------------------------------+
| wu-ftp | ----------------------------//
+---------------------------------+
Any logged in user (including anonymous FTP users) can exploit the bug to
gain root privileges on the server.
ftp://ftp.turbolinux.com/pub/updates/6.0/security/
wu-ftpd-2.6.1-10.i386.rpm
370d61d7c3a74180a1532bf462a460de
TurboLinux Vendor Advisory:
http://www.linuxsecurity.com/advisories/turbolinux_advisory-1847.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
