+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | April 5th, 2002 Volume 3, Number 14a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for the Linux kernel, openssh, cups, nscd, kde, squid, mod_ssl, XFree86, rsync, and zlib. The vendors include Caldera and Conectiva. Caldera users especially should pay particular close attention to this newsletter. A total of nine specific Caldera advisories were released this week. --> Performance and Stability meet Security EnGarde has everything necessary to create thousands of virtual Web sites, manage e-mail, DNS, firewalling database functions for an entire organization, and supports high-speed broadband connections all using a Web-based front-end. EnGarde Secure Professional provides those features and more! http://store.guardiandigital.com/html/eng/promo1.shtml Dsniff 'n the Mirror - This is a practical step by step guide showing how to use Dsniff, MRTG, IP Flow Meter, Tcpdump, NTOP, and Ngrep, and others. It also provides a discussion of how and why we should monitor network traffic. http://www.linuxsecurity.com/feature_stories/dsniff-monitoring.html +---------------------------------+ | Linux kernel | ----------------------------// +---------------------------------+ In case of excessively long path names d_path kernel internal function returns truncated trailing components of a path name instead of an error value. As this function is called by getcwd(2) system call and do_proc_readlink() function, false information may be returned to user-space processes. PLEASE SEE VENDOR ADVISORY Linux kernel Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1999.html +---------------------------------+ | openssh | ----------------------------// +---------------------------------+ A bug exists in the channel code of OpenSSH versions 2.0 though 3.0.2. Existing users can use this bug to gain root privileges. The ability to exploit this vulnerability without an existing user account has not yet been proven, but it is considered possible. A malicious ssh server could also use this bug to exploit a connecting vulnerable client. Caldera OpenLinux Server: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS RPMS/openssh-2.9p2-5.i386.rpm f628846edca7e40cebf0174d4a02abb9 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2000.html +---------------------------------+ | cups | ----------------------------// +---------------------------------+ The authors of CUPS, the Common UNIX Printing System, have found a potential buffer overflow bug in the code of the CUPS daemon where it reads the names of attributes. Caldera OpenLinux Sever: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS RPMS/cups-1.1.10-5.i386.rpm 54c460f1858c9ae1d3c4057812825cbd RPMS/cups-client-1.1.10-5.i386.rpm 1caf530d29b5387d2da32e2bc31340c7 RPMS/cups-devel-1.1.10-5.i386.rpm 45b44112561c92cfbb7e8bd11840697e RPMS/cups-ppd-1.1.10-5.i386.rpm 13cbec00ffd614f696f905c35ed63b7b Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2002.html Conectiva: PLEASE SEE VENDOR ADVISORY Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2007.html +---------------------------------+ | nscd | ----------------------------// +---------------------------------+ The Name Service Cache Daemon (nscd) has a default behavior that does not allow applications to validate DNS "PTR" records against "A" records. In particular, nscd caches a request for a "PTR" record, and when a request comes later for the "A" record, nscd simply divulges the information from the cached "PTR" record, instead of querying the authoritative DNS for the "A" record. Caldera Open Linux: PLEASE SEE VENDOR ADVISORY FOR UPDATE Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2001.html +---------------------------------+ | kde | ----------------------------// +---------------------------------+ In OpenLinux 3.1.1, the startkde script will set the LD_LIBRARY_PATH environment variable to " /opt/kde2/lib:" which includes the current working directory in the library search path. This exposes users to shared library attacks. Caldera OpenLinux: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/ Server/current/RPMS ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/ Workstation/current/RPMS RPMS/kdeconfig-20011203-2.i386.rpm 080998dc9e5fc03b7b20f3644ae8b31b Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2003.html +---------------------------------+ | squid | ----------------------------// +---------------------------------+ If certain constructed ftp:// style URL's are received, then squid crashes, causing a denial of service and possibly remote execution of code. Caldera OpenLinux: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS RPMS/squid-2.4.STABLE2-3.i386.rpm 29ca65972c56e9a35a2181ce75bf23a2 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2004.html +---------------------------------+ | mod_ssl | ----------------------------// +---------------------------------+ modssl uses underlying OpenSSL routines in a manner which could cause a buffer overflow. Caldera OpenLinux: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS RPMS/mod_ssl-2.8.5_1.3.22-2.i386.rpm 64223d2995fd5501b440d14d9af35359 RPMS/mod_ssl-sxnet-2.8.5_1.3.22-2.i386.rpm f45c83a03d7fa38825645d551d5a1489 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2005.html +---------------------------------+ | XFree86 | ----------------------------// +---------------------------------+ Any user with local X access can exploit the MIT-SHM extension and gain read/write access to any shared memory segment on the system. Caldera OpenLinux: PLEASE SEE VENDOR ADVISORY FOR UPDATE Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2006.html +---------------------------------+ | rsync | ----------------------------// +---------------------------------+ Supplementary groups to which the rsync daemon belongs (such as root) were not removed from the server process before it performed work as an unprivileged uid and gid. The rsync daemon was also compiled with a vulnerable version of the zlib library. This package corrects both these issues. Caldera OpenLinux: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/ Server/current/RPMS rsync-2.5.0-5.i386.rpm 2c8f978df12dabf073361c86f7012210 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2008.html +---------------------------------+ | zlib | ----------------------------// +---------------------------------+ CERT CA-2002-07: There is a bug in the zlib compression library that may manifest itself as a vulnerability in programs that are linked with zlib. This may allow an attacker to conduct a denial-of-service attack, gather information, or execute arbitrary code. Caldera OpenLinux: PLEASE SEE VENDOR ADVISORY Candera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2010.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------