+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | February 15th, 2002 Volume 3, Number 7a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for rsync, mutt, OpenLDAP, uccp, faqomatic, cupsys, ucd-snmp, and at. The vendors include Caldera, Conectiva, Debian, FreeBSD, and Red Hat. Also this week, there is a great deal of news surrounding the SNMP vulnerabilities. The CERT advisory states "Numerous vulnerabilities have been reported in multiple vendors' SNMP implementations. These vulnerabilities may allow unauthorized privileged access, denial-of-service attacks, or cause unstable behavior. " The full CERT Advisory text can be found here: http://www.linuxsecurity.com/articles/ network_security_article-4431.html A SNMP Advisory FAQ can be found here: http://www.linuxsecurity.com/articles/ security_sources_article-4433.html Why be vulnerable? Its your choice. - Are you looking for a solution that provides the applications necessary to easily create thousands of virtual Web sites, manage e-mail, DNS, firewalling database functions for an entire organization, and supports high-speed broadband connections all using a Web-based front-end? EnGarde Secure Professional provides those features and more! http://store.guardiandigital.com +---------------------------------+ | rsync | ----------------------------// +---------------------------------+ Sebastian Krahmer of SuSE discovered a vulnerability in rsync that allows an attacker to modify memory of the rsync server process. There is no know exploit yet, but this vulernability could be used against servers providing downloads via anonymous rsync. Note that the problem can also be exploited by a rogue server, attacking a client who uses rsync. ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS 319f52b332937a9ec9b6b3a84a1a2818 RPMS/rsync-2.5.0-2.i386.rpm Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1887.html FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1889.html +---------------------------------+ | mutt | ----------------------------// +---------------------------------+ The mail user agent mutt is susceptible to a remote attack. By sending a message with an overlong email address, the attacker is able to overwrite a single memory location with a zero byte, which can be exploited to execute arbitary code within the account of the email recipient. ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS 700b96d068e212e9f68bff794b60acc1 RPMS/mutt-1.2.5-12OL.i386.rpm Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1886.html +---------------------------------+ | OpenLDAP | ----------------------------// +---------------------------------+ Recently a security flaw was discovered in OpenLDAP 2.0.19 slapd(8) regarding application of access controls upon modify operations issued by authenticated users. Specifically, slapd(8) did not disallow a replace with no values from deleting the attribute which was protected by ACLs (if such was allowed by checked schema rules). That is, this flaw allowed any authenticated user to delete any non-mandatory attribute of an object. In 2.0 versions prior to 2.0.8, this flaw is NOT restricted to authenticated users (that is, anonymous users can abuse the flaw as well). ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS b333cf77ecde92a6c3b6e4c313361e09 RPMS/openldap-2.0.11-11S.i386.rpm 360db3b5a0f9d0321b00ff0f87b82597 RPMS/openldap-devel-2.0.11-11S.i386.rpm Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1885.html +---------------------------------+ | UUCP | ----------------------------// +---------------------------------+ Zenith Parsec discovered a security hole in Taylor UUCP 1.06.1. It permits a local user to copy any file to anywhere which is writable by the uucp uid, which effectively means that a local user can completely subvert the UUCP subsystem, including stealing mail, etc. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1882.html +---------------------------------+ | faqomatic | ----------------------------// +---------------------------------+ Due to unescaped HTML code Faq-O-Matic returned unverified scripting code to the browser. With some tweaking this enables an attacker to steal cookies from one of the Faq-O-Matic moderators or the admin. http://security.debian.org/dists/stable/updates/main/ binary-all/faqomatic_2.603-1.2_all.deb MD5 checksum: cd2dfe85ed8fb844dad23e61f15e07f3 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1892.html +---------------------------------+ | cupsys | ----------------------------// +---------------------------------+ The authors of CUPS, the Common UNIX Printing System, have found a potential buffer overflow bug in the code of the CUPS daemon where it reads the names of attributes. This affects all versions of CUPS. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ cupsys-bsd_1.0.4-10_i386.deb MD5 checksum: 05400bb194af07b79287a6390125b3ee http://security.debian.org/dists/stable/updates/main/binary-i386/ cupsys_1.0.4-10_i386.deb MD5 checksum: cc857d9a2a629dd14074d4d6469fbcd3 http://security.debian.org/dists/stable/updates/main/binary-i386/ libcupsys1-dev_1.0.4-10_i386.deb MD5 checksum: ef741829699442ddc5b754ac693cfd39 http://security.debian.org/dists/stable/updates/main/binary-i386/ libcupsys1_1.0.4-10_i386.deb MD5 checksum: dfeafd588730f20b3b0426722e9f0ba0 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1893.html +---------------------------------+ | ucd-snmp | ----------------------------// +---------------------------------+ The Secure Programming Group of the Oulu University did a study on SNMP implementations and uncovered multiple problems which can cause problems ranging from Denial of Service attacks to remote exploits. Intel IA-32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/libsnmp4.1-dev_4.1.1-2.1_i386.deb MD5 checksum: 5addf966bc067f943b4ca6c7d604a48f http://security.debian.org/dists/stable/updates/ main/binary-i386/libsnmp4.1_4.1.1-2.1_i386.deb MD5 checksum: e1ebaeaee18859d1e58aae658e4b1564 http://security.debian.org/dists/stable/updates/ main/binary-i386/snmp_4.1.1-2.1_i386.deb MD5 checksum: 7d13633a4e8a922eb36d6bfe8a04f0f3 http://security.debian.org/dists/stable/updates/ main/binary-i386/snmpd_4.1.1-2.1_i386.deb MD5 checksum: bb63f353a4e3bba6d0bd3acc54f6a138 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1896.html FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1890.html Yellow-Dog Linux Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1894.html Conectiva Linux Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1895.html Red Hat 7.2 i386: ftp://updates.redhat.com/7.2/en/os/i386/ ucd-snmp-4.2.3-1.7.2.3.i386.rpm 0b124baa0ad9d6dfff163bedefbd2cf8 ftp://updates.redhat.com/7.2/en/os/i386/ ucd-snmp-utils-4.2.3-1.7.2.3.i386.rpm 2111e9ba725167a3f6d87db056a8bda2 ftp://updates.redhat.com/7.2/en/os/i386/ ucd-snmp-devel-4.2.3-1.7.2.3.i386.rpm c2bd228d204ee3c7668209d8e26e02c1 ftp://updates.redhat.com/7.2/en/os/i386/ ethereal-0.8.18-10.7.2.1.i386.rpm 0e5cb05d81426fbee44e4c5fc4b2d176 ftp://updates.redhat.com/7.2/en/os/i386/ ethereal-gnome-0.8.18-10.7.2.1.i386.rpm bc176a2fba2fa979f2aa28a82570c6cf Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1891.html +---------------------------------+ | groff | ----------------------------// +---------------------------------+ zen-parse discovered an exploitable buffer overflow in groff's preprocessor. If groff is invoked using the LPRng printing system, an attacker can gain rights as the "lp" user. Likewise, this may be remotely exploitable if lpd is running and remotely accessible and the attacker knows the name of the printer and it's spool file. Mandrake Linux 8.1: 6cc7c8c5936c4a15dca519219c4f078a 8.1/RPMS/groff-1.17.2-3.3mdk.i586.rpm c8a8ae0e7848c60b922c8d8326afe01e 8.1/RPMS/groff-for-man-1.17.2-3.3mdk.i586.rpm 3dd6a64b3007bcd6bc3f807f5373462 8.1/RPMS/groff-gxditview-1.17.2-3.3mdk.i586.rpm a92f47ab6a6d3a46509f3dd0d76ea9e3 8.1/RPMS/groff-perl-1.17.2-3.3mdk.i586.rpm fdae065cd64b4527919d44dbcf126497 8.1/SRPMS/groff-1.17.2-3.3mdk.src.rpm Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1883.html +---------------------------------+ | at | ----------------------------// +---------------------------------+ This updated at package fixes two minor problems and one major problem where the environment can get wiped out prior to the execution of a scheduled command. For versions of Red Hat Linux prior to 7.2, this package also fixes a potential security vulnerability which can result in heap corruption (Red Hat Linux 7.2 is not vulnerable to this security exploit). Red Hat Linux 7.2: i386: ftp://updates.redhat.com/7.2/en/os/i386/at-3.1.8-23.i386.rpm ea793fd803f10c8fa66abb8191fefb9b Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1884.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------