+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | May 31st, 2002 Volume 3, Number 22a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week.It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for k5su, bzip2, kernel, rc, imap, perl-Digest-MD5, fetchmail, dhcp, mailman, mozilla, nss_ldap, and tcpdump. The vendors include Conectiva, FreeBSD, Mandrake, Red Hat, and SuSE. FEATURE: Flying Pigs: Snorting Next Generation Secure Remote Log Servers over TCP: A Comprehensive Guide to Building Encrypted, Secure Remote Syslog-ng Servers with the Snort Intrusion Detection System. http://www.linuxsecurity.com/feature_stories/snortlog-part1.html ** Build Complete Internet Presence Quickly and Securely! ** EnGarde Secure Linux has everything necessary to create thousands of virtual Web sites, manage e-mail, DNS, firewalling, and database functions for an entire organization, all using a secure Web-based front-end. Engineered to be secure and easy to use! --> http://www.guardiandigital.com/promo/ls230502.html +---------------------------------+ | k5su | ----------------------------// +---------------------------------+ Contrary to the expectations of many BSD system administrators, users not in group `wheel' may use k5su to attempt to obtain superuser privileges. Note that this would require knowledge of the root account password, or an explicit entry in the Kerberos 5 `.k5login' ACL for the root account. PLEASE SEE VENDOR ADVISORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2094.html +---------------------------------+ | bzip2 | ----------------------------// +---------------------------------+ Files may be inadvertently overwritten without warning. Due to the race condition between creating files and setting proper permissions, a local user may be able to read the contents of files regardless of their intended permissions. Decompressed files that were originally pointed to by a symbolic link may end up with in incorrect permissions, allowing local users to view their contents. PLEASE SEE VENDOR ADVISORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2095.html +---------------------------------+ | FreeBSD kernel | ----------------------------// +---------------------------------+ By simply connecting to a socket using accept filtering and holding a few hundred sockets open (~190 with the default backlog value), one may deny access to a service. In addition to malicious users, this affect has also been reported to be caused by worms such as Code Red which generate URLs that do not meet the http accept filter's criteria. FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ patches/SA-02:26/accept.patch FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2102.html +---------------------------------+ | rc | ----------------------------// +---------------------------------+ Users may remove the contents of arbitrary directories if the /tmp/.X11-unix directory does not already exist and the system can be enticed to reboot (or the user can wait until the next system maintenance window). FreeBSD: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ patches/SA-02:27/rc.patch FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2103.html +---------------------------------+ | imap | ----------------------------// +---------------------------------+ A buffer overflow was discovered in the imap server that could allow a malicious user to run code on the server with the uid and gid of the email owner by constructing a malformed request that would trigger the buffer overflow. However, the user must successfully authenticate to the imap service in order to exploit it, which limits the scope of the vulnerability somewhat, unless you are a free mail provider or run a mail service where users do not already have shell access to the system. Mandrake Linux 8.2: 8.2/RPMS/imap-2001a-5.1mdk.i586.rpm 6f76f364c6c5c9ba37a200bfec94021c 8.2/RPMS/imap-devel-2001a-5.1mdk.i586.rpm 43729a72c87d22c1b711f89c767be6f3 http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2091.html Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/] imap-2000c-12U8_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ imap-devel-2000c-12U8_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ imap-devel-static-2000c-12U8_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ imap-doc-2000c-12U8_2cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2087.html Red Hat 7.2: i386: ftp://updates.redhat.com/7.2/en/os/i386/ imap-2001a-1.72.0.i386.rpm d2d9a10cb6c8faed062da4f21d8fb7e5 ftp://updates.redhat.com/7.2/en/os/i386/ imap-devel-2001a-1.72.0.i386.rpm 21feec5a469ff71e706173199ffc3856 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2088.html +---------------------------------+ | perl-Digest-MD5 | ----------------------------// +---------------------------------+ A bug exists in the UTF8 interaction between the perl-Digest-MD5 module and perl that results in UTF8 strings having improper MD5 digests. The 2.20 version of the module corrects this problem. PLEASE SEE VENDOR ADVISORY FOR UPDATE Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2092.html +---------------------------------+ | fetchmail | ----------------------------// +---------------------------------+ A problem was discovered with versions of fetchmail prior to 5.9.10 that was triggered by retreiving mail from an IMAP server. The fetchmail client will allocate an array to store the sizes of the messages it is attempting to retrieve. This array size is determined by the number of messages the server is claiming to have, and fetchmail would not check whether or not the number of messages the server was claiming was too high. This would allow a malicious server to make the fetchmail process write data outside of the array bounds. Mandrake Linux 8.2: 8.2/RPMS/fetchmail-5.9.11-6.1mdk.i586.rpm 62ae12e980691928fb97a53665ea8aec 8.2/RPMS/fetchmail-daemon-5.9.11-6.1mdk.i586.rpm 2421a5a2606b79e9e0c2a4336d7314e2 8.2/RPMS/fetchmailconf-5.9.11-6.1mdk.i586.rpm aa06981d47199bce1d67ae6dee07581e http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2093.html +---------------------------------+ | dhcp | ----------------------------// +---------------------------------+ Fermin J. Serna discovered a problem in the dhcp server and client package from versions 3.0 to 3.0.1rc8, which are affected by a format string vulnerability that can be exploited remotely. By default, these versions of DHCP are compiled with the dns update feature enabled, which allows DHCP to update DNS records. The code that logs this update has an exploitable format string vulnerability; the update message can contain data provided by the attacker, such as a hostname. A successful exploitation could give the attacker elevated privileges equivalent to the user running the DHCP daemon, which is the user dhcpd in Mandrake Linux 8.x, but root in earlier versions. Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2099.html +---------------------------------+ | mailman | ----------------------------// +---------------------------------+ According to this announcement, "office" reported such a vulnerability in the login page, and Tristan Roddis reported one in the Pipermail index summaries. Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/ mailman-2.0.11-1U8_1cl.i386.rpm Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2089.html +---------------------------------+ | mozilla | ----------------------------// +---------------------------------+ GreyMagic Security found[1] a vulnerability[2] in mozilla prior to version 1.0rc1 which allows a hostile site to read and list user files. The vulnerability was related to the XMLHTTP, a component that is primarily used for retrieving XML documents from a web server. PLEASE SEE VENDOR ADVISORY FOR UPDATE Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2098.html +---------------------------------+ | nss_ldap | ----------------------------// +---------------------------------+ Updated nss_ldap packages are now available for Red Hat Linux 6.2, 7.0, 7.1,7.2, and 7.3. These packages fix a string format vulnerability in the pam_ldap module. Red Hat Linux 7.3 i386: ftp://updates.redhat.com/7.3/en/os/i386/ nss_ldap-189-2.i386.rpm d2b2402e6c59f886556872d6b2bc2f16 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2090.html +---------------------------------+ | tcpdump | ----------------------------// +---------------------------------+ Updated tcpdump, libpcap, and arpwatch packages are available for Red Hat Linux 6.2 and 7.x. These updates close a buffer overflow when handling NFS packets. Red Hat Linux 7.2 i386: ftp://updates.redhat.com/7.2/en/os/i386/ tcpdump-3.6.2-11.7.2.0.i386.rpm cc168b456fbde106ad1879fe7346c1ee ftp://updates.redhat.com/7.2/en/os/i386/ libpcap-0.6.2-11.7.2.0.i386.rpm f26ebb5d1cbb91d4b5effd9174f1728d ftp://updates.redhat.com/7.2/en/os/i386/ arpwatch-2.1a11-11.7.2.0.i386.rpm 74863a3b3110d2dbb03a03c1ad213152 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2100.html SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2097.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------