+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | March 15th, 2002 Volume 3, Number 11a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for zlib, mod_ssl, xtel, pam_pgsql, cyrus-sasl, netscape, mod_frontpage, openssh, rsync, gzip, NetBSD kernel, php, fileutils, and cvs. The vendors include Conectiva, Debian, EnGarde, FreeBSD, Immunix, Mandrake, NetBSD, Red Hat, Slackware, SuSE, Trustix, and Yellow Dog Linux. Many serious advisories affecting nearly all Linux vendors were released this week, it is advisable that you patch your systems immediately. ALERT: Significant Vulnerability Afflicts Linux Systems - Recently in a coordinated effort between all major Linux vendors, a vulnerability in the zlib library was announced, potentially affecting every installed Linux system in existance. Find out more: http://www.linuxsecurity.com/articles/security_sources_article-4582.html Security and Simplicity - Are you looking for a solution that provides the applications necessary to easily create thousands of virtual Web sites, manage e-mail, DNS, firewalling database functions for an entire organization, and supports high-speed broadband connections all using a Web-based front-end? EnGarde Secure Professional provides those features and more! http://store.guardiandigital.com/html/eng/493-AA.shtml FEATURE: Linux Data Hiding and Recovery - Just when you thought your data was removed forever, Anton Chuvakin shows us how to recover data and even how data can surruptitiously be hidden within space on the filesystem. http://www.linuxsecurity.com/feature_stories/data-hiding-forensics.html FEATURE: Fingerprinting Web Server Attacks - In this article, zenomorph discusses multiple ways attackers attempt to exploit port 80 to gain control of a web server. Using this information, an administrator can learn to detect potential attacks and steps that are necessary to protect a server from them. http://www.linuxsecurity.com/feature_stories/fingerprinting-http.html +---------------------------------+ | zlib | ----------------------------// +---------------------------------+ The compression library zlib has a flaw in which it attempts to free memory more than once under certain conditions. This can possibly be exploited to run arbitrary code in a program that includes zlib. If a network application running as root is linked to zlib, this could potentially lead to a remote root compromise. No exploits are known at this time. Debian: PLEASE SEE VENDOR ADVISORY Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1968.html Mandrake Linux 8.1: 8.1/RPMS/zlib1-1.1.3-16.1mdk.i586.rpm 6dca9c0ff7dac9759d735150139182da 8.1/RPMS/zlib1-devel-1.1.3-16.1mdk.i586.rpm 320d06d5f1acc841965ad6c16db396cf http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1976.html Mandrake Vendor Advisory [UPDATE]: http://www.linuxsecurity.com/advisories/mandrake_advisory-1983.html SuSE Vendor Advisory I: http://www.linuxsecurity.com/advisories/suse_advisory-1967.html SuSE Vendor Advisory II: http://www.linuxsecurity.com/advisories/suse_advisory-1966.html EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1960.html Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1982.html Red Hat Vendor Advisory I: http://www.linuxsecurity.com/advisories/redhat_advisory-1965.html Red Hat Vendor Advisory II: http://www.linuxsecurity.com/advisories/redhat_advisory-1963.html Slackware Vendor Advisory: http://www.linuxsecurity.com/advisories/slackware_advisory-1973.html +---------------------------------+ | mod_ssl, apache_ssl | ----------------------------// +---------------------------------+ To exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. If these conditions are met, it would be possible for an attacker to execute arbitrary code on the server. Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/apache-ssl_1.3.9.13-4_i386.deb MD5 checksum: 5085998b8751242a7e9c59b4806a7b24 http://security.debian.org/dists/stable/updates/main/binary-i386/ libapache-mod-ssl_2.4.10-1.3.9-1potato1_i386.deb MD5 checksum: e9a64fab4b7891f00b7e66f524ec0ec9 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1951.html Mandrake Linux 8.1: 8.1/RPMS/mod_ssl-2.8.5-2.1mdk.i586.rpm 020058f4fd26dc78480804caf5cd0044 http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1947.html Red Hat: i386: ftp://updates.redhat.com/7.2/en/os/i386/mod_ssl-2.8.5-4.i386.rpm b7c91618cfb9110ce1ad620b9df05ab7 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1941.html +---------------------------------+ | xtel | ----------------------------// +---------------------------------+ Several security related problems have been found in the xtell package, a simple messaging client and server. In detail, these problems contain several buffer overflows, a problem in connection with symbolic links, unauthorized directory traversal when the path contains "..". These problems could lead into an attacker being able to execute arbitrary code on the server machine. The server runs with nobody privileges by default, so this would be the account to be exploited. Debian Intel ia32 architecture: http://security.debian.org/dists/stable/updates/ main/binary-i386/xtell_1.91.1_i386.deb MD5 checksum: 15dba43eec2b9b24a04523b27e621bbd Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1964.html +---------------------------------+ | pam-pgsql | ----------------------------// +---------------------------------+ The affected versions of the pam-pgsql port contain a vulnerability that may allow a remote user to cause arbitrary SQL code to be executed. pam-pgsql constructs a SQL statement to be executed by the PostgreSQL server in order to lookup user information, verify user passwords, and change user passwords. The username and password given by the user is inserted into the SQL statement without any quoting or other safety checks. FreeBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1969.html +---------------------------------+ | cyrus-sasl | ----------------------------// +---------------------------------+ Affected versions of the cyrus-sasl port contain a format string vulnerability. The format string vulnerability occurs during a call to the syslog(3) function. FreeBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1970.html +---------------------------------+ | netscape | ----------------------------// +---------------------------------+ The GIF89a and JPEG standards permit images to have embedded comments, in which any kind of textual data may be stored. Versions 4.76 and earlier of the Netscape browser will execute JavaScript contained in such a comment block, if execution of JavaScript is enabled in the configuration of the browser. FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/ linux-netscape-communicator-4.79.tgz linux-netscape-navigator-4.79.tgz FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1971.html +---------------------------------+ | mod_frontpage | ----------------------------// +---------------------------------+ Affected versions of the mod_frontpage port contains several exploitable buffer overflows in the fpexec wrapper, which is installed setuid root. A local attacker may obtain superuser privileges by exploiting the buffer overflow bugs in fpexec. FreeBSD: PLEASE SEE VENDOR ADVISORY FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1972.html Mandrake Linux 8.1: http://www.mandrakesecure.net/en/ftp.php 8.1/RPMS/mod_frontpage-1.6.1-3.1mdk.i586.rpm 8c2baeebb796353035f8816ed6cdfbed Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1945.html +---------------------------------+ | openssh | ----------------------------// +---------------------------------+ Joost Pol found a bug in the channel code of all versions of OpenSSH from 2.0 to 3.0.2. This bug can allow authenticated users with an existing account on the vulnerable system to obtain root privilege or by a malicious server attacking a vulnerable client. OpenSSH 3.1 is not vulnerable to this problem. The provided packages fix this vulnerability. Mandrake Linux 8.1: 8.1/RPMS/openssh-3.1p1-1.1mdk.i586.rpm 44ff50aad9a9696ee747d201b9a3bd5f 8.1/RPMS/openssh-askpass-3.1p1-1.1mdk.i586.rpm a8d4315ed3b5fab0e8d8f3abcae36ce7 8.1/RPMS/openssh-askpass-gnome-3.1p1-1.1mdk.i586.rpm 4df4ec7a72c4c5dbda179799738b8bd7 8.1/RPMS/openssh-clients-3.1p1-1.1mdk.i586.rpm a332044cf9eaeaaae0af923d55678e2b 8.1/RPMS/openssh-server-3.1p1-1.1mdk.i586.rpm a2a39c0c29d0c3a7660d8c58023edbe4 http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1946.html NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-1978.html Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1943.html YellowDog Linux Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1950.html Immunix Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1961.html Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1948.html SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/slackware_advisory-1944.html +---------------------------------+ | rsync | ----------------------------// +---------------------------------+ Ethan Benson discovered a bug in rsync where the supplementary groups that the rsync daemon runs as (such as root) would not be removed from the server process after changing to the specified unprivileged uid and gid. Mandrake Linux 8.1: 8.1/RPMS/rsync-2.5.4-1.1mdk.i586.rpm e3733dc91021b997e656fafe86915fe9 Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1981.html Slackware 8.0: ftp://ftp.slackware.com/pub/slackware/ slackware-8.0/patches/packages/rsync.tgz e88390bae124be2af4b707ad3fbfc791 Slackware Vendor Advisory: http://www.linuxsecurity.com/advisories/slackware_advisory-1974.html +---------------------------------+ | gzip | ----------------------------// +---------------------------------+ There are ftp daemon programs that invoke gzip on demand (like wu-ftpd). If your systems run these daemons, depending on the configuration it could lead to a remote root compromise. NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-1977.html +---------------------------------+ | NetBSD kernel | ----------------------------// +---------------------------------+ There was a bug in the IPv4 forwarding path, and the inbound SPD (security policy database) was not consulted on forwarding. As a result, NetBSD routers configured to be a VPN gateway failed to reject unencrypted packets. NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-1979.html +---------------------------------+ | php | ----------------------------// +---------------------------------+ Stefan Esser of E-matters security discovered and published[2,3] several vulnerabilities[4] in the php_mime_split function used for file uploads that could allow an attacker to execute arbitrary commands on the server. This affects both PHP4 and PHP3. Conectiva: PLEASE SEE VENDOR ADVISORY FOR UPDATE Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1942.html +---------------------------------+ | fileutils | ----------------------------// +---------------------------------+ The GNU File Utilities are the basic file-manipulation utilities of the GNU operating system. Race condition in various utilities from fileutils GNU package may cause root user to delete the whole filesystem. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1959.html +---------------------------------+ | cvs | ----------------------------// +---------------------------------+ Package updated: Patched to link to the shared zlib on the system instead of statically linking to the included zlib source. Also, use mktemp to create files in /tmp files more safely. Slackware 8.0: ftp://ftp.slackware.com/pub/slackware/ slackware-8.0/patches/packages/cvs.tgz 6758d0f323e9ebbd9aa1272c6c9dc482 Slackware Vendor Advisory: http://www.linuxsecurity.com/advisories/slackware_advisory-1974.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------