+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| May 10th, 2002 Volume 3, Number 19a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were releaed for mod python, tcpdump, imlib,
sysconfig, webmin, netfilter, and dhcp. The vendors include Conectiva,
Red Hat, and SuSE.
FTP Attack Case Study Part I: The Analysis This article presents a case
study of a company network server compromise. The attack and other
intruder's actions are analyzed. Computer forensics investigation is
undertaken and results are presented. The article provides an opportunity
to follow the trail of incident response for the real case.
http://www.linuxsecurity.com/feature_stories/ftp-analysis-part1.html
* FREE SSL Guide from Thawte - Are you planning your Web Server Security?
Click here to get a FREE Thawte SSL guide and find the answers to all your
SSL security issues.
--> http://www.gothawte.com/rd249.html
+---------------------------------+
| mod python | ----------------------------//
+---------------------------------+
As stated[1] by Allan Saddi in the mailing list of mod_python, there was a
vulnerability which would allow a publisher to access an indirectly
imported module, thus allowing a remote attacker to call functions from
that module (which is an unexpected and potentially dangerous behavior).
Conectiva:
ftp://atualizacoes.conectiva.com.br/8/RPMS/
mod_python-2.7.8-1U8_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2051.html
Red Hat 7.3 i386:
ftp://updates.redhat.com/7.3/en/os/i386/
mod_python-2.7.8-1.i386.rpm
9b9e4a43002cd22f9a8df7fd9784e925
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2056.html
+---------------------------------+
| tcpdump | ----------------------------//
+---------------------------------+
tcpdump buffer overflows: during a tcpdump code auditing done by FreeBSD
developers, several buffer overflows were discovered[2] in tcpdump
versions prior to 3.5. New versions (including 3.6.2) are also vulnerable
to another buffer overflow[3] in AFS RPC decoding functions, as pointed
out by Nick Cleaton.
Conectiva:
ftp://atualizacoes.conectiva.com.br/8/RPMS/
libpcap-0.6.2-4U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
libpcap-devel-0.6.2-4U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
libpcap-devel-static-0.6.2-4U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
tcpdump-3.6.2-3U8_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2052.html
+---------------------------------+
| imlib | ----------------------------//
+---------------------------------+
Imlib could, under certain circumstances, revert to using a netpbm library
which is well known to have security problems and should not be used for
handling untrusted data. Furthermore a heap corruption could occur in the
imlib code.
SuSE:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2053.html
+---------------------------------+
| sysconfig | ----------------------------//
+---------------------------------+
The ifup-dhcp script which is part of the sysconfig package is responsible
for setting up network-devices using configuration data obtained from a
DHCP server by the dhcpcd DHCP client. It is possible for remote attackers
to feed this script with evil data via spoofed DHCP replies for example.
This way ifup-dhcp could be tricked into executing arbitrary commands as
root. The ifup-dhcp shellscript has been fixed to not source the file
containing the possible evil data anymore.
SuSE-8.0
ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/
sysconfig-0.23.14-60.i386.rpm
4d6a9f1a3e1a461ebbea9a6e98f4e894
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2054.html
+---------------------------------+
| webmin | ----------------------------//
+---------------------------------+
A vulnerability lies in the communication between the parent process and
the child process of Webmin and Usermin, which could allow an attacker to
spoof a session ID as any user already logged in. This results in the
possibility for users who are not logged in, to be able to use these
software tools.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Webmin Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2055.html
Webmin Vendor Advisory 2:
http://www.linuxsecurity.com/advisories/other_advisory-2064.html
+---------------------------------+
| netfilter | ----------------------------//
+---------------------------------+
When a NAT rule applies to the first packet of a connection and that
packet later causes the system to generate an ICMP error message, the ICMP
error message is sent out with translated addresses included. This address
information incorrectly gives the IP address to which the connection would
have been forwarded if the ICMP error message wasnot generated, which
exposes information about the netfilter configuration (which ports are
being translated) and about the network topology (which address the ports
are being forwarded to). Also, the incorrect ICMP packets may be dropped
by other intervening stateful firewalls as malformed packets.
Red Hat:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2057.html
+---------------------------------+
| dhcp | ----------------------------//
+---------------------------------+
Versions ranging from 3 to 3.0.1rc8 (inclusive) have a format string
vulnerability[1] that could be exploited remotely. Considering the usage
of the DHCP service, this usually means the local area network in this
case.
Conectiva:
ftp://atualizacoes.conectiva.com.br/8/RPMS/
dhcp-3.0-3U8_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
dhcp-doc-3.0-3U8_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2058.html
DHCP Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2065.html
+---------------------------------+
| OpenBSD | ----------------------------//
+---------------------------------+
On current OpenBSD systems, any local user (being or not in the wheel
group) can fill the kernel file descriptors table, leading to a denial of
service. Because of a flaw in the way the kernel checks closed file
descriptors 0-2 when running a setuid program, it is possible to combine
these bugs and earn root access by winning a race condition.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
http://www.linuxsecurity.com/advisories/openbsd_advisory-2062.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
