+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | May 10th, 2002 Volume 3, Number 19a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were releaed for mod python, tcpdump, imlib, sysconfig, webmin, netfilter, and dhcp. The vendors include Conectiva, Red Hat, and SuSE. FTP Attack Case Study Part I: The Analysis This article presents a case study of a company network server compromise. The attack and other intruder's actions are analyzed. Computer forensics investigation is undertaken and results are presented. The article provides an opportunity to follow the trail of incident response for the real case. http://www.linuxsecurity.com/feature_stories/ftp-analysis-part1.html * FREE SSL Guide from Thawte - Are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. --> http://www.gothawte.com/rd249.html +---------------------------------+ | mod python | ----------------------------// +---------------------------------+ As stated[1] by Allan Saddi in the mailing list of mod_python, there was a vulnerability which would allow a publisher to access an indirectly imported module, thus allowing a remote attacker to call functions from that module (which is an unexpected and potentially dangerous behavior). Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/ mod_python-2.7.8-1U8_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2051.html Red Hat 7.3 i386: ftp://updates.redhat.com/7.3/en/os/i386/ mod_python-2.7.8-1.i386.rpm 9b9e4a43002cd22f9a8df7fd9784e925 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2056.html +---------------------------------+ | tcpdump | ----------------------------// +---------------------------------+ tcpdump buffer overflows: during a tcpdump code auditing done by FreeBSD developers, several buffer overflows were discovered[2] in tcpdump versions prior to 3.5. New versions (including 3.6.2) are also vulnerable to another buffer overflow[3] in AFS RPC decoding functions, as pointed out by Nick Cleaton. Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/ libpcap-0.6.2-4U8_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ libpcap-devel-0.6.2-4U8_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ libpcap-devel-static-0.6.2-4U8_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ tcpdump-3.6.2-3U8_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2052.html +---------------------------------+ | imlib | ----------------------------// +---------------------------------+ Imlib could, under certain circumstances, revert to using a netpbm library which is well known to have security problems and should not be used for handling untrusted data. Furthermore a heap corruption could occur in the imlib code. SuSE: PLEASE SEE VENDOR ADVISORY FOR UPDATE SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2053.html +---------------------------------+ | sysconfig | ----------------------------// +---------------------------------+ The ifup-dhcp script which is part of the sysconfig package is responsible for setting up network-devices using configuration data obtained from a DHCP server by the dhcpcd DHCP client. It is possible for remote attackers to feed this script with evil data via spoofed DHCP replies for example. This way ifup-dhcp could be tricked into executing arbitrary commands as root. The ifup-dhcp shellscript has been fixed to not source the file containing the possible evil data anymore. SuSE-8.0 ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/ sysconfig-0.23.14-60.i386.rpm 4d6a9f1a3e1a461ebbea9a6e98f4e894 SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2054.html +---------------------------------+ | webmin | ----------------------------// +---------------------------------+ A vulnerability lies in the communication between the parent process and the child process of Webmin and Usermin, which could allow an attacker to spoof a session ID as any user already logged in. This results in the possibility for users who are not logged in, to be able to use these software tools. PLEASE SEE VENDOR ADVISORY FOR UPDATE Webmin Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2055.html Webmin Vendor Advisory 2: http://www.linuxsecurity.com/advisories/other_advisory-2064.html +---------------------------------+ | netfilter | ----------------------------// +---------------------------------+ When a NAT rule applies to the first packet of a connection and that packet later causes the system to generate an ICMP error message, the ICMP error message is sent out with translated addresses included. This address information incorrectly gives the IP address to which the connection would have been forwarded if the ICMP error message wasnot generated, which exposes information about the netfilter configuration (which ports are being translated) and about the network topology (which address the ports are being forwarded to). Also, the incorrect ICMP packets may be dropped by other intervening stateful firewalls as malformed packets. Red Hat: PLEASE SEE VENDOR ADVISORY FOR UPDATE Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2057.html +---------------------------------+ | dhcp | ----------------------------// +---------------------------------+ Versions ranging from 3 to 3.0.1rc8 (inclusive) have a format string vulnerability[1] that could be exploited remotely. Considering the usage of the DHCP service, this usually means the local area network in this case. Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/ dhcp-3.0-3U8_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ dhcp-doc-3.0-3U8_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2058.html DHCP Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2065.html +---------------------------------+ | OpenBSD | ----------------------------// +---------------------------------+ On current OpenBSD systems, any local user (being or not in the wheel group) can fill the kernel file descriptors table, leading to a denial of service. Because of a flaw in the way the kernel checks closed file descriptors 0-2 when running a setuid program, it is possible to combine these bugs and earn root access by winning a race condition. PLEASE SEE VENDOR ADVISORY FOR UPDATE http://www.linuxsecurity.com/advisories/openbsd_advisory-2062.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------