+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | February 1st, 2002 Volume 3, Number 5a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for rsync, k5su, enscript, gzip, ptrace, sudo, x-chat, sane-backends, pine, at, uucp, mutt, openldap, squid, and xinetd. The vendors include Caldera, Conectiva, Debian, EnGarde, FreeBSD, Mandrake, FreeBSD, Red Hat, Slackware, SuSE, TurboLinux, and YellowDog. LinuxSecurity.com Feature: Approaches to choosing the strength of your security measures - Anton Chuvakin discusses the known approaches to choosing the level of security for your organization, risk assessment, and finding the balance between effective security practices and the existing budget. http://www.linuxsecurity.com/feature_stories/feature_story-98.html *** FREE Apache SSL Guide from Thawte - Are you worried about your web server security? Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your Apache SSL security needs. http://www.gothawte.com/rd178.html Why be vulnerable? Its your choice. - Are you looking for a solution that provides the applications necessary to easily create thousands of virtual Web sites, manage e-mail, DNS, firewalling database functions for an entire organization, and supports high-speed broadband connections all using a Web-based front-end? EnGarde Secure Professional provides those features and more! http://store.guardiandigital.com +---------------------------------+ | rsync | ----------------------------// +---------------------------------+ Sebastian Krahmer found several places in rsync (a popular tool to synchronise files between machines) where signed and unsigned numbers were mixed which resulted in insecure code. This could be abused by remote users to write 0-bytes in rsync's memory and trick rsync into executing arbitrary code. Debian Intel IA-32 architecture: http://security.debian.org/dists/stable/updates/ main/binary-i386/rsync_2.3.2-1.3_i386.deb MD5 checksum: c1e9d2e9d1ed014dd2a3992902a66477 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1857.html Mandrake Linux 8.1: 8.1/RPMS/rsync-2.4.6-3.1mdk.i586.rpm 048f479dbf9be95eb7e1bf59790d0b22 http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1862.html EnGarde Binary Packages: i386/rsync-2.4.6-1.0.3.i386.rpm MD5 Sum: 130608e7f4d1600d8ceb47ad7fe7c4ce ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1853.html Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1856.html YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1860.html Red Hat Vendor Advisory (UPDATE): http://www.linuxsecurity.com/advisories/redhat_advisory-1875.html Slackware Vendor Advisory: http://www.linuxsecurity.com/advisories/slackware_advisory-1858.html SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1855.html +---------------------------------+ | k5su | ----------------------------// +---------------------------------+ The setlogin system call, the use of which is restricted to the superuser, is used to associate a user name with a login session. The getlogin system call is used to retrieve that user name. The setlogin system call is typically used by applications such as login and sshd. [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/security/heimdal-0.4e_2.tgz FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1849.html YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1865.html +---------------------------------+ | enscrypt | ----------------------------// +---------------------------------+ The enscript program does not create temporary files in a secure fashion and as such could be abused if enscript is run as root. Mandrake Linux 8.1: 8.1/RPMS/enscript-1.6.1-22.1mdk.i586.rpm f30e305cd6b7050ab2088098a4ac0997 http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1863.html YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1867.html +---------------------------------+ | gzip | ----------------------------// +---------------------------------+ There are two problems with the gzip archiving program; the first is a crash when an input file name is over 1020 characters, and the second is a buffer overflow that could be exploited if gzip is run on a server such as an FTP server. The patch applied is from the gzip developers and the problems have been fixed in the latest beta. Mandrake Linux 8.1: 8.1/RPMS/gzip-1.2.4a-9.1mdk.i586.rpm 0c4bd47c8314d2df3b5dd98476a75c80 http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1876.html +---------------------------------+ | ptrace | ----------------------------// +---------------------------------+ A process could exec a setuid binary, while gaining ptrace control over it for a short period before the process was activated. The ptrace controller process could then modify the address space of the controlled process and abuse its elevated privileges. Mandrake: PLEASE SEE VENDOR ADVISORY FOR UPDATE Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-1826.html +---------------------------------+ | sudo | ----------------------------// +---------------------------------+ Sudo is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. NetBSD [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-4-stable/security/sudo-1.6.4.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/security/sudo-1.6.4.1.tgz NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-1827.html YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1869.html +---------------------------------+ | xchat | ----------------------------// +---------------------------------+ Versions of xchat prior to version 1.8.7 contain a vulnerability which allows an attacker to cause a vulnerable client to execute arbitrary IRC server commands as if the vulnerable user had typed them. ftp://ftp.yellowdoglinux.com/pub/yellowdog/ updates/yellowdog-2.1/ppc/ xchat-1.8.7-1.72.0.ppc.rpm 75a3959a60589c2b06464a4afdc84150 YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1864.html +---------------------------------+ | sane-backends | ----------------------------// +---------------------------------+ XSane is an X-based interface providing access to scanners, digital cameras, and other capture devices. When XSane creates temporary files, it does so with predictable filenames in a manner that would follow symbolic links. This could allow a local user to overwrite files written by the user running XSane. PLEASE SEE VENDOR ADVISORY FOR UPDATE YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1868.html +---------------------------------+ | pine | ----------------------------// +---------------------------------+ The purpose of this release is to fix a security bug with the treatment of quotes in the URL-handling code. The bug allows a malicious sender to embed commands in a URL. This bug is present in all versions of UNIX Pine 4.43 or earlier. PLEASE SEE VENDOR ADVISORY FOR UPDATE YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1870.html +---------------------------------+ | at | ----------------------------// +---------------------------------+ A server running the latest version of at could have commands that depend on the current environment (for example, the PATH) which would then fail or run incorrectly because the environment would not be accessible when the command was executed at a later time. YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1871.html +---------------------------------+ | uucp | ----------------------------// +---------------------------------+ uuxqt in Taylor UUCP package does not properly remove dangerous long options, which allows local users to gain uid and gid uucp privileges by calling uux and specifying an alternate configuration file with the --config option YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1872.html +---------------------------------+ | mutt | ----------------------------// +---------------------------------+ An overflow exists in mutt's RFC822 address parser. A remote attacker could send a carefully crafted email message which when read by mutt would be able to overwrite arbitrary bytes in memory. The updated mutt-1.2.5.1 release fixes the problem. Thanks go to Joost Pol for discovering the bug and the Mutt team for the fixed release. YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1866.html +---------------------------------+ | openldap | ----------------------------// +---------------------------------+ Authenticated users (in openldap versions 2.0.8 up to 2.0.19) could issue a REPLACE command for an attribute where the new value is an empty one, thus effectively removing the attribute if allowed by the current schema, that is, if the attribute in question is not mandatory. In versions prior to 2.0.8, anonymous users could do this as well, regardless of ACLs protecting this attribute. Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1861.html +---------------------------------+ | squid | ----------------------------// +---------------------------------+ Squid has a flaw in the code to handle FTP PUT commands: when a mkdir-only request was done squid would detect an internal error and exit. Squid script cannot use the restart command. Because when stop command isn't finished, start command is started. TurboLinux Vendor Advisory: ftp://ftp.turbolinux.com/pub/updates/6.0/security/ squid-2.4.STABLE2-3.i386.rpm 8d163dfdb90a42c46a5c169b2dc0d4f4 TurboLinux Vendor Advisory: http://www.linuxsecurity.com/advisories/turbolinux_advisory-1851.html +---------------------------------+ | xinetd | ----------------------------// +---------------------------------+ Exploitation of the conditions discovered during the audit could lead to a denial of service or remote root compromise. TurboLinux Vendor Advisory: ftp://ftp.turbolinux.com/pub/updates/6.0/security/ xinetd-2.3.3-3.i386.rpm 00c15d36ce412917672826c7d9ffd69e TurboLinux Vendor Advisory: http://www.linuxsecurity.com/advisories/turbolinux_advisory-1852.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------