+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| February 1st, 2002 Volume 3, Number 5a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for rsync, k5su, enscript, gzip,
ptrace, sudo, x-chat, sane-backends, pine, at, uucp, mutt, openldap,
squid, and xinetd. The vendors include Caldera, Conectiva, Debian,
EnGarde, FreeBSD, Mandrake, FreeBSD, Red Hat, Slackware, SuSE, TurboLinux,
and YellowDog.
LinuxSecurity.com Feature: Approaches to choosing the strength of your
security measures - Anton Chuvakin discusses the known approaches to
choosing the level of security for your organization, risk assessment, and
finding the balance between effective security practices and the existing
budget.
http://www.linuxsecurity.com/feature_stories/feature_story-98.html
*** FREE Apache SSL Guide from Thawte - Are you worried about your web
server security? Click here to get a FREE Thawte Apache SSL Guide and
find the answers to all your Apache SSL security needs.
http://www.gothawte.com/rd178.html
Why be vulnerable? Its your choice. - Are you looking for a solution that
provides the applications necessary to easily create thousands of virtual
Web sites, manage e-mail, DNS, firewalling database functions for an
entire organization, and supports high-speed broadband connections all
using a Web-based front-end? EnGarde Secure Professional provides those
features and more!
http://store.guardiandigital.com
+---------------------------------+
| rsync | ----------------------------//
+---------------------------------+
Sebastian Krahmer found several places in rsync (a popular tool to
synchronise files between machines) where signed and unsigned numbers were
mixed which resulted in insecure code. This could be abused by remote
users to write 0-bytes in rsync's memory and trick rsync into executing
arbitrary code.
Debian Intel IA-32 architecture:
http://security.debian.org/dists/stable/updates/
main/binary-i386/rsync_2.3.2-1.3_i386.deb
MD5 checksum: c1e9d2e9d1ed014dd2a3992902a66477
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1857.html
Mandrake Linux 8.1:
8.1/RPMS/rsync-2.4.6-3.1mdk.i586.rpm
048f479dbf9be95eb7e1bf59790d0b22
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1862.html
EnGarde Binary Packages:
i386/rsync-2.4.6-1.0.3.i386.rpm
MD5 Sum: 130608e7f4d1600d8ceb47ad7fe7c4ce
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
EnGarde Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1853.html
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1856.html
YellowDog Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1860.html
Red Hat Vendor Advisory (UPDATE):
http://www.linuxsecurity.com/advisories/redhat_advisory-1875.html
Slackware Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-1858.html
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1855.html
+---------------------------------+
| k5su | ----------------------------//
+---------------------------------+
The setlogin system call, the use of which is restricted to the superuser,
is used to associate a user name with a login session. The getlogin
system call is used to retrieve that user name. The setlogin system call
is typically used by applications such as login and sshd.
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/security/heimdal-0.4e_2.tgz
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1849.html
YellowDog Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1865.html
+---------------------------------+
| enscrypt | ----------------------------//
+---------------------------------+
The enscript program does not create temporary files in a secure fashion
and as such could be abused if enscript is run as root.
Mandrake Linux 8.1:
8.1/RPMS/enscript-1.6.1-22.1mdk.i586.rpm
f30e305cd6b7050ab2088098a4ac0997
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1863.html
YellowDog Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1867.html
+---------------------------------+
| gzip | ----------------------------//
+---------------------------------+
There are two problems with the gzip archiving program; the first is a
crash when an input file name is over 1020 characters, and the second is a
buffer overflow that could be exploited if gzip is run on a server such as
an FTP server. The patch applied is from the gzip developers and the
problems have been fixed in the latest beta.
Mandrake Linux 8.1:
8.1/RPMS/gzip-1.2.4a-9.1mdk.i586.rpm
0c4bd47c8314d2df3b5dd98476a75c80
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1876.html
+---------------------------------+
| ptrace | ----------------------------//
+---------------------------------+
A process could exec a setuid binary, while gaining ptrace control
over it for a short period before the process was activated. The
ptrace controller process could then modify the address space of the
controlled process and abuse its elevated privileges.
Mandrake:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-1826.html
+---------------------------------+
| sudo | ----------------------------//
+---------------------------------+
Sudo is a program designed to allow a sysadmin to give limited root
privileges to users and log root activity.
NetBSD [i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-4-stable/security/sudo-1.6.4.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/security/sudo-1.6.4.1.tgz
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-1827.html
YellowDog Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1869.html
+---------------------------------+
| xchat | ----------------------------//
+---------------------------------+
Versions of xchat prior to version 1.8.7 contain a vulnerability which
allows an attacker to cause a vulnerable client to execute arbitrary IRC
server commands as if the vulnerable user had typed them.
ftp://ftp.yellowdoglinux.com/pub/yellowdog/
updates/yellowdog-2.1/ppc/
xchat-1.8.7-1.72.0.ppc.rpm
75a3959a60589c2b06464a4afdc84150
YellowDog Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1864.html
+---------------------------------+
| sane-backends | ----------------------------//
+---------------------------------+
XSane is an X-based interface providing access to scanners, digital
cameras, and other capture devices. When XSane creates temporary files, it
does so with predictable filenames in a manner that would follow symbolic
links. This could allow a local user to overwrite files written by the
user running XSane.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
YellowDog Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1868.html
+---------------------------------+
| pine | ----------------------------//
+---------------------------------+
The purpose of this release is to fix a security bug with the treatment of
quotes in the URL-handling code. The bug allows a malicious sender to
embed commands in a URL. This bug is present in all versions of UNIX Pine
4.43 or earlier.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
YellowDog Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1870.html
+---------------------------------+
| at | ----------------------------//
+---------------------------------+
A server running the latest version of at could have commands that depend
on the current environment (for example, the PATH) which would then fail
or run incorrectly because the environment would not be accessible when
the command was executed at a later time.
YellowDog Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1871.html
+---------------------------------+
| uucp | ----------------------------//
+---------------------------------+
uuxqt in Taylor UUCP package does not properly remove dangerous long
options, which allows local users to gain uid and gid uucp privileges by
calling uux and specifying an alternate configuration file with the
--config option
YellowDog Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1872.html
+---------------------------------+
| mutt | ----------------------------//
+---------------------------------+
An overflow exists in mutt's RFC822 address parser. A remote attacker
could send a carefully crafted email message which when read by mutt would
be able to overwrite arbitrary bytes in memory. The updated mutt-1.2.5.1
release fixes the problem. Thanks go to Joost Pol for discovering the bug
and the Mutt team for the fixed release.
YellowDog Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1866.html
+---------------------------------+
| openldap | ----------------------------//
+---------------------------------+
Authenticated users (in openldap versions 2.0.8 up to 2.0.19) could issue
a REPLACE command for an attribute where the new value is an empty one,
thus effectively removing the attribute if allowed by the current schema,
that is, if the attribute in question is not mandatory. In versions prior
to 2.0.8, anonymous users could do this as well, regardless of ACLs
protecting this attribute.
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1861.html
+---------------------------------+
| squid | ----------------------------//
+---------------------------------+
Squid has a flaw in the code to handle FTP PUT commands: when a mkdir-only
request was done squid would detect an internal error and exit. Squid
script cannot use the restart command. Because when stop command isn't
finished, start command is started.
TurboLinux Vendor Advisory:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/
squid-2.4.STABLE2-3.i386.rpm
8d163dfdb90a42c46a5c169b2dc0d4f4
TurboLinux Vendor Advisory:
http://www.linuxsecurity.com/advisories/turbolinux_advisory-1851.html
+---------------------------------+
| xinetd | ----------------------------//
+---------------------------------+
Exploitation of the conditions discovered during the audit could lead to a
denial of service or remote root compromise.
TurboLinux Vendor Advisory:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/
xinetd-2.3.3-3.i386.rpm
00c15d36ce412917672826c7d9ffd69e
TurboLinux Vendor Advisory:
http://www.linuxsecurity.com/advisories/turbolinux_advisory-1852.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
