Linux Advisory Watch - June 28th 2002

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  June 28th, 2002                          Volume 3, Number 26a |
+----------------------------------------------------------------+
 
  Editors:     Dave Wreski                Benjamin Thomas
               dave@linuxsecurity.com     ben@linuxsecurity.com
 
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.It
includes pointers to updated packages and descriptions of each
vulnerability.
 

This week, advisories were released for openssh, apache, and secureweb.  
The vendors include Conectiva, Debian, EnGarde, Immunix, Mandrake, Red
Hat, and Yellow Dog.

*Developing with open standards? Demanding High Performance?*

Catch the Oracle9i JDeveloper wave now and check out howbuilt-in profilers
and CodeCoach make your Java code tighterand faster than ever
before.Download your FREE copy of Oracle9i J Developer Today.

  http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=oracle1 
  

EnGarde Secure Linux walks away with Network Computing Editor's Choice
"EnGarde walked away with our Editor's Choice award thanks to the depth of
its security strategy, which covers nearly all the bases. Everything from
the low-level mechanisms (binary integrity checking and stack protection)
to high-level usability issues (including an excellent patching interface)
demonstrate the serious effort the Guardian Digital crew has invested in
EnGarde."

http://www.linuxsecurity.com/articles/vendors_products_article-5106.html 


  
+---------------------------------+
|  openssh                        | ----------------------------//
+---------------------------------+  

Theo de Raadt announced the existence of an upcoming vulnerability in the
OpenSSH secure shell daemon.  He also noted that versions of sshd with a
new feature called "privilege separation" were immune to the attack (which
he gave no details on).  Thus we were required to upgrade to OpenSSH
3.3p1, a major upgrade from versions we have shipped in the past.
  

 EnGarde: 
 ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ 
 i386/openssh-3.3p1-1.0.20.i386.rpm 
 MD5 Sum: d23e26a839a6a4db4de0096bffaef569 

 i386/openssh-clients-3.3p1-1.0.20.i386.rpm 
 MD5 Sum: bc0032917f4f4d2d350ab7069ff569cb 

 i386/openssh-server-3.3p1-1.0.20.i386.rpm 
 MD5 Sum: 2fbee870d2c12d3d6ed35ee5dc629fdf 

 EnGarde Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2157.html 
  

 Debian: i386 architecture (Intel ia32) 
 http://security.debian.org/pool/updates/main/o/
 openssh/ssh_3.3p1- 0.0woody1_i386.deb 
 Size/MD5 checksum: 
 637940 c3743ca590e7efd74cb97d5be98456be 

 http://security.debian.org/pool/updates/main/o/
 openssh/ssh-askpass-gnome_3.3p1-0.0woody1_i386.deb 
 Size/MD5 checksum: 
 32928 d8a53753324406f2d9a386451e02e40d 

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-2153.html 

 Updated Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-2161.html 
  

 Mandrake Linux 8.2: 
 http://www.mandrakesecure.net/en/ftp.php 

 8.2/RPMS/openssh-3.3p1-3.1mdk.i586.rpm 
 cc9ac93261db3dbd80e5c8be6ce2da6d 

 8.2/RPMS/openssh-askpass-3.3p1-3.1mdk.i586.rpm 
 79b317116fda4968073a47ceaea8c0f1 

 8.2/RPMS/openssh-askpass-gnome-3.3p1-3.1mdk.i586.rpm 
 50158609a46ef79d10cb429cac398e82 

 8.2/RPMS/openssh-clients-3.3p1-3.1mdk.i586.rpm 
 298cae54073f902410aa1f6be7748755 

 8.2/RPMS/openssh-server-3.3p1-3.1mdk.i586.rpm 
 a32f267bf83538d326febc86932bab52 

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2154.html 

  

 SuSE i386 Intel Platform - SuSE-8.0 
 ftp://ftp.suse.com/pub/suse/i386/update/8.0/ 
 sec1/openssh-3.3p1-6.i386.patch.rpm 
 aa29ca8bcedf674605c69d3ebb20456c 

 ftp://ftp.suse.com/pub/suse/i386/update/8.0/ 
 sec1/openssh-3.3p1-6.i386.rpm 
 568b475b982721e62f557557c59624fb 

 SuSE Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/suse_advisory-2159.html 
  

 Conectiva: 
 ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
 openssh-3.3p1-1U8_1cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
 openssh-askpass-3.3p1-1U8_1cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
 openssh-askpass-gnome-3.3p1-1U8_1cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
 openssh-clients-3.3p1-1U8_1cl.i386.rpm 

 ftp://atualizacoes.conectiva.com.br/8/RPMS/ 
 openssh-server-3.3p1-1U8_1cl.i386.rpm 

 Conectiva Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2160.html 
  
 
 Yellow Dog Linux: 
 PLEASE SEE VENDOR ADVISORY 

 Yellow Dog Linux Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2164.html 

 Immunix: 
 PLEASE SEE VENDOR ADVISORY 

 Immunix Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2162.html


  
+---------------------------------+
|  secureweb                      | ----------------------------//
+---------------------------------+  

Versions of the Apache Web server up to and including 1.3.24 contain a
bugin the routines which deal with requests that are processed with
"chunked"encoding. A carefully crafted invalid request can cause an Apache
childprocess to call the memcpy() function in a way that will write past
the end of its buffer, corrupting the stack.

 Red Hat: 386: 
 ftp://updates.redhat.com/other_prod/secureweb/3.2/i386/ 
 secureweb-3.2.6-1.i386.rpm.rhmask 
 0ab5997be631fdee7d000b6d6767ed0d 

 ftp://updates.redhat.com/other_prod/secureweb/3.2/i386/  
 secureweb-devel-3.2.6-1.i386.rpm 
 eb4d09fb8452f62d02e443bdaea0bbd9 

 ftp://updates.redhat.com/other_prod/secureweb/3.2/i386/ 
 secureweb-manual-3.2.6-1.i386.rpm 
 0ebbcd3faadd569717fb85caf5b18320 

 Red Hat Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/redhat_advisory-2165.html 
  
  
  
 
+---------------------------------+
|  apache                         | ----------------------------//
+---------------------------------+  

A Denial of Service attack was discovered by Mark Litchfield in the Apache
webserver.  As well, while investigating this problem, the Apache Software
Foundation discovered that the code for handling invalid requests that use
chunked encoding may also allow arbitrary code to be executed on 64bit
architectures.

 Madrake: 
 PLEASE SEE VENDOR ADVISORY FOR UPDATE 

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2152.html 


 Updated Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2155.html 

 Yellow Dog Linux: 
 http://www.linuxsecurity.com/advisories/other_advisory-2163.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux