Linux Advisory Watch - February 8th 2002

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  February 7th, 2002                       Volume 3, Number  6a |
+----------------------------------------------------------------+
 
  Editors:     Dave Wreski                Benjamin Thomas
               dave@linuxsecurity.com     ben@linuxsecurity.com
 
 
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for pine, rsync, FreeBSD kernel, wmtv,
and telnet.  The vendors include Conectiva, Debian, FreeBSD, and Red Hat.
Also this week, LinuxSecurity.com has released the latest version of the
EnGarde Linux Postfix Howto.  It can be found at:

http://www.linuxsecurity.com/feature_stories/feature_story-91.html 

LinuxSecurity.com Feature: Approaches to choosing the strength of your
security measures - Anton Chuvakin discusses the known approaches to
choosing the level of security for your organization, risk assessment, and
finding the balance between effective security practices and the existing
budget.

http://www.linuxsecurity.com/feature_stories/feature_story-98.html 
  

Why be vulnerable? Its your choice. - Are you looking for a solution that
provides the applications necessary to easily create thousands of virtual
Web sites, manage e-mail, DNS, firewalling database functions for an
entire organization, and supports high-speed broadband connections all
using a Web-based front-end? EnGarde Secure Professional provides those
features and more!
 
 http://store.guardiandigital.com
 
 
+---------------------------------+
|  pine                           | ----------------------------//
+---------------------------------+

A vulnerability[2] in the pine URL handler was discovered that allows
remote attackers to execute arbitrary shell commands in the user's machine
by encapsulating them in a URL using environment variables. This
vulnerability only affects users whith the msg-view-url option enabled
(which is not the default).

 ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ 
 pico-4.44L-1U70_1cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ 
 pine-4.44L-1U70_1cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ 
 pilot-4.44L-1U70_1cl.i386.rpm 

 Conectiva Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-1877.html


  
+---------------------------------+
|  rsync                          | ----------------------------//
+---------------------------------+

In Debian Security Advisory DSA-106-1 we reported a exploitable problem in
rsync. For details please see that advisory. Unfortunately the patch used
to fix that problem broke rsync.  This has been fixed in version 2.3.2-1.5
and we recommend you upgrade to that version immediately.
 
 Debian Intel IA-32 architecture: 
 http://security.debian.org/dists/stable/updates/ 
 main/binary-i386/rsync_2.3.2-1.5_i386.deb 
 MD5 checksum: 41891f496f0b38b176de1bd3df04945c 

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-1878.html


  

+---------------------------------+
|  FreeBSD Kernel                 | ----------------------------//
+---------------------------------+

On vulnerable FreeBSD systems where procfs is mounted, unprivileged local
users may be able to cause a kernel panic. A race condition existed where
a file could be removed between calling fstatfs() and the point where the
file is accessed causing the file descriptor to become invalid.  This may
allow unprivileged local users to cause a kernel panic.  Currently only
the procfs filesystem is known to be vulnerable.

 FreeBSD: 
 fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ 
 CERT/patches/SA-02:09/fstatfs.patch 

 FreeBSD Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/freebsd_advisory-1879.html


  
+---------------------------------+
|  wmtv                           | ----------------------------//
+---------------------------------+

Nicolas Boullis found some security problems in the wmtv package (a
dockable video4linux TV player for windowmaker) which is distributed in
Debian GNU/Linux 2.2.  With the current version of wmtv, the configuration
file is written back as the superuser, and without any further checks.  A
mailicious user might use that to damage important files.

 Debian Intel ia32 architecture: 
 http://security.debian.org/dists/stable/updates/main/ 
 binary-i386/wmtv_0.6.5-2potato2_i386.deb 
 MD5 checksum: 270d8553f9d732d612154dd0927ceece 

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-1880.html


  
+---------------------------------+
|  telnet                         | ----------------------------//
+---------------------------------+

New telnet, telnet-server packages are available for Red Hat Linux 5.2,
5.2, 7.0 and 7.1. These packages fix a problem where buffer overflows can
provide root access to local users. It is recommended that all users
update to the fixed packages.

 Red Hat: 7.1 i386: 
 ftp://updates.redhat.com/7.1/en/os/i386/ 
 telnet-0.17-18.1.i386.rpm 
 d4c6ea58c27504771887ada7f89646dd 

 ftp://updates.redhat.com/7.1/en/os/i386/ 
 telnet-server-0.17-18.1.i386.rpm 
 3165c07852274f4303c1acebde8ded06 

 Red Hat Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/redhat_advisory-1881.html


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux