+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | June 7th, 2002 Volume 3, Number 23a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for tcpdump, uucp, ethereal, dhcp, bind, mailman, Conectiva's kernel, imap, nss_ldap, ghostscript, and xchat. The vendors include Caldera, Conecitva, Debian, EnGarde, Mandrake, Red Hat, SuSE, Trustix, and Yellow Dog. FEATURE: Flying Pigs: Snorting Next Generation Secure Remote Log Servers over TCP: A Comprehensive Guide to Building Encrypted, Secure Remote Syslog-ng Servers with the Snort Intrusion Detection System. http://www.linuxsecurity.com/feature_stories/snortlog-part1.html ** Build Complete Internet Presence Quickly and Securely! ** EnGarde Secure Linux has everything necessary to create thousands of virtual Web sites, manage e-mail, DNS, firewalling, and database functions for an entire organization, all using a secure Web-based front-end. Engineered to be secure and easy to use! --> http://www.guardiandigital.com/promo/ls230502.html +---------------------------------+ | tcpdump | ----------------------------// +---------------------------------+ The tcpdump program is vulnerable to several buffer overflows, the most serious of which are problems with the decoding of AFS RPC packets and the handling of malformed NFS packets. These may allow a remote attacker to cause arbitrary instructions to be executed with the privileges of the tcpdump process (usually root). Caldera OpenLinux 3.1.1 Server ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/ Server/current/RPMS/ tcpdump-3.6.2-2.i386.rpm 86ebdc7304a9474350d6347de67cd801 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2114.html Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/ tcpdump-3.6.2-3U8_2cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2113.html Trustix: PLEASE SEE VENDOR ADVISORY FOR UPDATE Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2116.html Yellow Dog: PLEASE SEE VENDOR ADVISORY FOR UPDATE Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2123.html +---------------------------------+ | uucp | ----------------------------// +---------------------------------+ We have received reports that in.uucpd, an authentication agent in the uucp package, does not properly terminate certain long input strings. This has been corrected in uucp package version 1.06.1-11potato3 for Debian 2.2 (potato) and in version 1.06.1-18 for the upcoming (woody) release. Debian: Intel IA-32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ uucp_1.06.1-11potato3_i386.deb MD5 checksum: 26f22db0eeed4cabad46861112d94d47 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2104.html +---------------------------------+ | ethereal | ----------------------------// +---------------------------------+ Ethereal versions prior to 0.9.3 were vulnerable to an allocation error in the ASN.1 parser. This can be triggered when analyzing traffic using the SNMP, LDAP, COPS, or Kerberos protocols in ethereal. This vulnerability was announced in the ethereal security advisory. Debian: Intel IA-32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ ethereal_0.8.0-3potato_i386.deb MD5 checksum: cf6925bce3de49332f93105ac801be31 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2105.html Yellow Dog Linux: PLEASE SEE VENDOR ADVISORY FOR UPDATE Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2127.html Red Hat Linux 7.3: i386: ftp://updates.redhat.com/7.3/en/os/i386/ ethereal-0.9.4-0.7.3.0.i386.rpm 52a3074dea1e4e9563558e523a659bc5 ftp://updates.redhat.com/7.3/en/os/i386/ ethereal-gnome-0.9.4-0.7.3.0.i386.rpm 1650416f14b9f6a7cb15aa2f38f20bf4 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2119.html +---------------------------------+ | dhcp | ----------------------------// +---------------------------------+ Fermin J. Serna discovered a problem in the dhcp server and client package from versions 3.0 to 3.0.1rc8, which are affected by a format string vulnerability that can be exploited remotely. By default, these versions of DHCP are compiled with the dns update feature enabled, which allows DHCP to update DNS records. The code that logs this update has an exploitable format string vulnerability; the update message can contain data provided by the attacker, such as a hostname. PLEASE SEE VENDOR ADVISORY FOR UPDATE Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2110.html +---------------------------------+ | bind | ----------------------------// +---------------------------------+ A vulnerability was discovered in the BIND9 DNS server in versions prior to 9.2.1. An error condition will trigger the shutdown of the server when the rdataset parameter to the dns_message_findtype() function in message.c is not NULL as expected. This condition causes the server to assert an error message and shutdown the BIND server. The error condition can be remotely exploited by a special DNS packet. PLEASE SEE VENDOR ADVISORY FOR UPDATE Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2112.html Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2126.html Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2109.html SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2115.html +---------------------------------+ | mailman | ----------------------------// +---------------------------------+ Barry A. Warsaw announced[2] a new version of mailman that fixes two cross site scripting vulnerabilities. According to this announcement, "office" reported such a vulnerability in the login page, and Tristan Roddis reported one in the Pipermail index summaries. Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/ mailman-2.0.11-1U8_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2111.html +---------------------------------+ | Conectiva kernel | ----------------------------// +---------------------------------+ It is recommended that all users upgrade the kernel. PLEASE SEE VENDOR ADVISORY FOR UPDATE Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2117.html +---------------------------------+ | imap | ----------------------------// +---------------------------------+ There is a buffer overflow vulnerability in imap which can allow a remote, authenticated user to execute commands as the user under which imapd is running. EnGarde: i386/imap-2000c-1.0.23.i386.rpm MD5 Sum: abb2189c4168ef80dc7a1884af3bac05 i386/imap-2000c-1.0.23.i686.rpm MD5 Sum: 3c6b50e75b8f09ebe5e97b71e94117d5 EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2120.html Yellow Dog Linux: PLEASE SEE VENDOR ADVISORY FOR UPDATE Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2121.html +---------------------------------+ | nss_ldap | ----------------------------// +---------------------------------+ The pam_ldap module provides authentication for user access to a system by consulting a directory using LDAP. Versions of pam_ldap prior to version 144 include a format string bug in the logging function. The packages included in this erratum update pam_ldap to version 144, fixing this bug. Yellow Dog Linux: ftp://ftp.yellowdoglinux.com/pub/yellowdog/ updates/yellowdog-2.2/ppc/ ppc/authconfig-4.1.19.2-1.ppc.rpm bcc6a0ebe130c633592ee0dcd4c356df ppc/nss_ldap-189-2.ppc.rpm 79268cb16005e49a206e4bea975ba890 Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2122.html Red Hat Linux 7.3: i386: ftp://updates.redhat.com/7.3/en/os/i386/ nss_ldap-189-2.i386.rpm d2b2402e6c59f886556872d6b2bc2f16 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2106.html +---------------------------------+ | ghostscript | ----------------------------// +---------------------------------+ "Ghostscript is a program for displaying PostScript files or printing them to non-PostScript printers. An untrusted PostScript file can cause ghostscript to execute arbitrary commands due to insufficient checking. Since ghostscript is often used during the course of printing a document (and is run as user 'lp'), all users should install these fixed packages. Yellow Dog Linux: ftp://ftp.yellowdoglinux.com/pub/yellowdog/ updates/yellowdog-2.2/ppc/ ppc/printconf-0.3.61-4.1.ppc.rpm ddc5d90a8b44b383ae7f25493823eee6 ppc/printconf-gui-0.3.61-4.1.ppc.rpm 984c9d6813af85e8b124e0f9f709ec4f ppc/ghostscript-6.51-16.2a.ppc.rpm ba63816e522739225663943ef901705b Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2124.html Red Hat Linux 7.3: i386: ftp://updates.redhat.com/7.3/en/os/i386/ ghostscript-6.52-9.4.i386.rpm Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2108.html +---------------------------------+ | xchat | ----------------------------// +---------------------------------+ Versions of XChat prior to 1.8.9 do not filter the response from an IRC server when a /dns query is executed. Because XChat resolves hostnames by passing the configured resolver and hostname to a shell, an IRC server may return a maliciously formatted response that executes arbitrary commands with the privileges of the user running XChat. Yellow Dog Linux: ftp://ftp.yellowdoglinux.com/pub/yellowdog/ updates/yellowdog-2.2/ppc/ ppc/xchat-1.8.9-2a.ppc.rpm d3d8742b3eb43b9a39f0c439b1f7b560 Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2125.html Red Hat Linux 7.3: i386: ftp://updates.redhat.com/7.3/en/os/i386/ xchat-1.8.9-1.73.0.i386.rpm bc85e6662044a386ce35b472635444fa Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2107.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------