+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | March 8th, 2002 Volume 3, Number 10a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for php, cfs, cvs, xsane, openssh, apache, ntop, squid, and radiud-cistron. The vendors include Conectiva, Debian, EnGarde, FreeBSD, Red Hat, Slackware, SuSE, and Yellow Dog. Security and Simplicity - Are you looking for a solution that provides the applications necessary to easily create thousands of virtual Web sites, manage e-mail, DNS, firewalling database functions for an entire organization, and supports high-speed broadband connections all using a Web-based front-end? EnGarde Secure Professional provides those features and more! http://store.guardiandigital.com/html/eng/493-AA.shtml FEATURE: Fingerprinting Web Server Attacks - In this article, zenomorph discusses multiple ways attackers attempt to exploit port 80 to gain control of a web server. Using this information, an administrator can learn to detect potential attacks and steps that are necessary to protect a server from them. http://www.linuxsecurity.com/feature_stories/fingerprinting-http.html FEATURE: Linux 802.11b and wireless (in)security - In this article, Michael talks about Linux and background on wireless security, utilities to interrogate wireless networks, and the top tips you should know to improve wireless security of your network. http://www.linuxsecurity.com/feature_stories/wireless-kismet.html +---------------------------------+ | php | ----------------------------// +---------------------------------+ Stefan Esser, who is also a member of the PHP team, found several flaws in the way PHP handles multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system. For PHP3 flaws contain a broken boundary check and an arbitrary heap overflow. For PHP4 they consist of a broken boundary check and a heap off by one error. PLEASE SEE VENDOR ADVISORY FOR UPDATE Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1925.html Yellow Dog Linux Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1934.html Slackware Vendor Advisory: http://www.linuxsecurity.com/advisories/slackware_advisory-1927.html +---------------------------------+ | cfs | ----------------------------// +---------------------------------+ Zorgon found several buffer overflows in cfsd, a daemon that pushes encryption services into the Unix(tm) file system. We are not yet sure if these overflows can successfully be exploited to gain root access to the machine running the CFS daemon. However, since cfsd can easily be forced to die, a malicious user can easily perform a denial of service attack to it. Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/cfs_1.3.3- 8.1_i386.deb MD5 checksum: 33651b606e1fa0dc15c9d7256580df84 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1926.html +---------------------------------+ | cvs | ----------------------------// +---------------------------------+ Kim Nielsen recently found an internal problem with the CVS server and reported it to the vuln-dev mailing list. The problem is triggered by an improperly initialized global variable. A user exploiting this can crash the CVS server, which may be accessed through the pserver service and running under a remote user id. It is not yet clear if the remote account can be exposed, through. Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/ main/binary-i386/cvs_1.10.7-9_i386.deb MD5 checksum: af8331fa78feee3029ebdde3e743adf5 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1931.html +---------------------------------+ | xsane | ----------------------------// +---------------------------------+ Tim Waugh found several insecure uses of temporary files in the xsane program, which is used for scanning. This was fixed for Debian/stable by moving those files into a securely created directory within the /tmp directory. Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/ main/binary-i386/xsane_0.50-5.1_i386.deb MD5 checksum: 069983f5340d5524a78b4bd896c6edb5 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1933.html +---------------------------------+ | openssh | ----------------------------// +---------------------------------+ An authorized remote user (i.e. a user that can successfully authenticate on the target system) may be able to cause sshd to execute arbitrary code with superuser privileges. A malicious server may be able to cause a connecting ssh client to execute arbitrary code with the privileges of the client user. PLEASE SEE ADVISORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1938.html EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1937.html Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1940.html SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1939.html +---------------------------------+ | apache | ----------------------------// +---------------------------------+ A remote attacker could exploit this vulnerability and execute arbitrary commands on the server running apache with this module enabled. A probable way to explore this is via client certificate authentication, where the attacker would use a specially crafted certificate to overflow this buffer. Since this vulnerability happens only after the client certificate has been checked, this means that it would have to be signed by a CA accepted by the apache server. Conectiva: ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ apache-1.3.22-1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ apache-devel-1.3.22- 1U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/ apache-doc-1.3.22-1U70_3cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1928.html +---------------------------------+ | ntop | ----------------------------// +---------------------------------+ ntop is a UNIX tool that shows the network usage, similar to what the popular top UNIX command does on the system level. A format string vulnerability has been discovered on the programmatic level and is currently known to affect the UNIX version, however, the Windows port of the program remains untested. The vulnerability allows for remote arbitrary code execution. PLEASE SEE VENDOR ADVISORY FOR UPDATE ntop Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1932.html +---------------------------------+ | squid | ----------------------------// +---------------------------------+ "Squid is a high-performance proxy caching server. Various security issues have been found in Squid up to and including version 2.4.STABLE2. These were: 1. a memory leak in the SNMP code 2. a crash on specially-formatted data in FTP URL parsing 3. HTCP would still be active, even if it was disabled in the config file. Yellow Dog Linux: ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/ yellowdog-2.1/ppc/squid-2.4.STABLE3-1.7.0.ppc.rpm 6f8f7c0c790de090b1a33ad08834f489 YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1935.html SuSE-7.3 ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/ squid-2.3.STABLE4-155.i386.rpm 4b1cff53fddcaf8930ec6738c6763a94 ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/ squid-beta-2.4.STABLE2-94.i386.rpm 4ca7f3594ec82b703c6c36c08fb46ecb SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1929.html +---------------------------------+ | radiusd-cistron | ----------------------------// +---------------------------------+ The radiusd-cistron package contains a server daemon for the Remote Authentication Dial-In User Server (RADIUS) client/server security protocol. Various vulnerabilities have been found in Cistron RADIUS as well as other RADIUS servers and clients. Red Hat: i386: ftp://updates.redhat.com/7.1/en/powertools/ i386/radiusd-cistron-1.6.6-2.i386.rpm b5c937f5e48d4d3484b64e20f8785b4a Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1930.html Conectiva: ftp://atualizacoes.conectiva.com.br/7.0/7.0/RPMS/ radiusd-cistron-1.6.6-1U70_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1936.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------