+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | July 12th, 2002 Volume 3, Number 28a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for LPRng, squid, and bind/glibc. The vendors include Conectiva, Mandrake, and SuSE. If you missed last week's newsletter, or have not yet updated apache, please visit the following URLs: July 5th 2002: http://www.linuxsecurity.com/articles/forums_article-5255.html June 28th 2002: http://www.linuxsecurity.com/articles/forums_article-5211.html June 21st 2002: http://www.linuxsecurity.com/articles/forums_article-3.html - Guardian Digital Combats Proprietary Software Licensing Deadline - Guardian Digital, Inc., the first full-service open source Internet server security company, has announced a special incentive program designed to provide companies with an alternative to Windows-based servers and applications as the July 31st deadline for Microsoft's new licensing program approaches. Press Release: http://www.guardiandigital.com/company/press/EnGarde-Licensing-Promotion.pdf Save Now: http://store.guardiandigital.com/html/eng/493-AA.shtml FEATURE: Threat Becomes Vulnerability Becomes Exploit The recent situation regarding the Apache Chunk Encoding Vulnerability has caused plenty of controversy in the security industry. It initially began with the community dislike of the release of information. http://www.linuxsecurity.com/feature_stories/feature_story-113.html ### Developing with open standards? Demanding High Performance? ### Catch the Oracle9i JDeveloper wave now and check out how built-in profilers and CodeCoach make your Java code tighter and faster than ever before. Download your FREE copy of Oracle9i JDeveloper Today. --> http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=oracle3 Find technical and managerial positions available worldwide. Visit the LinuxSecurity.com Career Center: http://careers.linuxsecurity.com +---------------------------------+ | LRPng | ----------------------------// +---------------------------------+ Matthew Caron pointed out that using the LPRng default configuration, the lpd daemon will accept job submissions from any remote host. These updated LPRng packages modify the job submission policy in /etc/lpd.perms to refuse print jobs from remote hosts by default. Mandrake Linux 8.2: 8.2/RPMS/LPRng-3.8.6-2.1mdk.i586.rpm c22c7e66ba57a5adc12bc989e3e315d0 8.2/SRPMS/LPRng-3.8.6-2.1mdk.src.rpm ef4539669b170549739a538c530131e9 http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2188.html +---------------------------------+ | squid | ----------------------------// +---------------------------------+ An attacker can exploit some of these vulnerabilities to execute arbitrary code remotely as the user running squid (which in Conectiva Linux is "proxy" or "nobody"), cause a Denial-of-Service (DoS) in the server or inject/get invalid data in/from the network. Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/ squid-2.4.7-1U8_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ squid-auth-2.4.7-1U8_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ squid-doc-2.4.7-1U8_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/ squid-templates-2.4.7-1U8_3cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2189.html SuSE-8.0: i386 ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/ squid-2.4.STABLE6-2.i386.rpm 01f5c698e0418e6055e9ed1018493380 ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/ squid-2.4.STABLE6-9.i386.patch.rpm 917c26da9c444085d045b708548eae3e ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/ squid-2.4.STABLE6-9.i386.rpm fa4780901f96712ea22eef28bdf53700 SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2191.html +---------------------------------+ | bind/glibc | ----------------------------// +---------------------------------+ A vulnerability has been discovered in some resolver library functions. The affected code goes back to the resolver library shipped as part of BIND4; code derived from it has been included in later BIND releases as well as the GNU libc. SuSE: PLEASE SEE VENDOR ADVISORY FOR UPDATE SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2193.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------