+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | August 9th, 2002 Volume 3, Number 32a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for openssl, bind/glibc, libpng, openafs, kerberos 5, wwwofle, tinyproxy, dietlibc, kqueue, ffs, kfs, sendmail, secureweb, and gaim. The vendors include Caldera, Conectiva, Debian, EnGarde, FreeBSD, Mandrake, and Red Hat. FEATURE: Best Practices guide for securing the Linux Workstation There is no silver bullet in security; rather, due diligence and knowledge are the best foundations for solid management of risk. The focus of this document is distinctively on workstations: those located in a corporate environment, those situated at the house, and the myriad of situations that fall somewhere in-between. http://www.linuxsecurity.com/feature_stories/feature_story-115.html * Act Now! Deadline August 10th! * Guardian Digital Combats Proprietary Software Licensing Deadline Guardian Digital, Inc., the first full-service open source Internet server security company, has announced a special incentive program designed to provide companies with an alternative to Windows-based servers and applications as the July 31st deadline for Microsoft's new licensing program approaches. http://www.guardiandigital.com/company/press/ EnGarde-Licensing-Promotion.pdf Save Now: http://store.guardiandigital.com/html/eng/493-AA.shtml Find technical and managerial positions available worldwide. Visit the LinuxSecurity.com Career Center: http://careers.linuxsecurity.com +---------------------------------+ | Package: openssl | ----------------------------// | Date: 08-02-2002 | +---------------------------------+ Description: There are four remotely exploitable buffer overflows that affect various OpenSSL client and server implementations. There are also encoding problems in the ASN.1 library used by OpenSSL. Several of these vulnerabilities could be used by a remote attacker to execute arbitrary code on the target system. All could be used to create denial of service. Vendor Alerts: Caldera: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/ Server/CSSA-2002-033.1/RPMS openssl-0.9.6-19.i386.rpm 22df8bff398b736e1b38ba1aaa5bbaef openssl-devel-0.9.6-19.i386.rpm 68c37446be713e85419f723b139cb64c openssl-devel-static-0.9.6-19.i386.rpm 3d103c874131c41839326e8add1cc683 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2259.html FreeBSD: FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2246.html Mandrake: Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2260.html Conectiva: Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2265.html EnGarde: i386/openssl-0.9.6-1.0.17.i386.rpm MD5 Sum: 2be3d62740d8d95469470acb8ad868b3 i386/openssl-misc-0.9.6-1.0.17.i386.rpm MD5 Sum: 0803e7486e837176ee791d4b26b78ffa i386/openssl-devel-0.9.6-1.0.17.i386.rpm MD5 Sum: 61f7354bd49c106f4171bb34da821ac5 i686/openssl-0.9.6-1.0.17.i686.rpm MD5 Sum: 5500f9acea0513f8d00df85dd432d20e i686/openssl-misc-0.9.6-1.0.17.i686.rpm MD5 Sum: 33fb2323346f834a114265e527762f11 i686/openssl-devel-0.9.6-1.0.17.i686.rpm MD5 Sum: deb6d48417fc34b8b5cabaca3f82a0cf ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2263.html Red Hat i386: ftp://updates.redhat.com/7.3/en/os/i386/ openssl095a-0.9.5a-18.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/ openssl096-0.9.6-13.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/ openssl-0.9.6b-28.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/ openssl-devel-0.9.6b-28.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/ openssl-perl-0.9.6b-28.i386.rpm Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2254.html +---------------------------------+ | Package: bind/glibc | ----------------------------// | Date: 08-02-2002 | +---------------------------------+ Description: A buffer overflow vulnerability exists in multiple implementations of DNS resolver libraries. Operating systems and applications that utilize vulnerable DNS resolver libraries may be affected. A remote attacker who is able to send malicious DNS responses could potentially exploit this vulnerability to execute arbitrary code or cause a denial of service on a vulnerable system. Vendor Alerts: Caldera: PLEASE SEE VENDOR ADVISORY UPDATES Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2256.html +---------------------------------+ | Package: libpng | ----------------------------// | Date: 08-05-2002 | +---------------------------------+ Description: In addition to the advisory DSA 140-1 the packages below fix another potential buffer overflow. The PNG libraries implement a safety margin which is also included in a newer upstream release. Thanks to Glenn Randers-Pehrson for informing us. Vendor Alerts: Debian: Intel IA-32 architecture: http://security.debian.org/pool/updates/main/libp/libpng3/ libpng-dev_1.2.1-1.1.woody.2_i386.deb Size/MD5 checksum: 233094 f9889af54e78f47eebe1fa5a60ef33cb http://security.debian.org/pool/updates/main/libp/libpng/ libpng2_1.0.12-3.woody.2_i386.deb Size/MD5 checksum: 106636 c9369f9eb9ae747365cdccf40acc3c2d http://security.debian.org/pool/updates/main/libp/libpng/ libpng2-dev_1.0.12-3.woody.2_i386.deb Size/MD5 checksum: 227308 4c452324c7308dcd268128fbe4b6439f http://security.debian.org/pool/updates/main/libp/libpng3/ libpng3_1.2.1-1.1.woody.2_i386.deb Size/MD5 checksum: 109802 8694e5afdb6f0c0c9e13b9f24aac8f63 Mandrake: Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2242.html Caldera: PLEASE SEE VENDOR ADVISORY UPDATES Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2256.html +---------------------------------+ | Package: openafs | ----------------------------// | Date: 08-05-2002 | +---------------------------------+ Description: An integer overflow bug has been discovered in the RPC library used by the OpenAFS database server, which is derived from the SunRPC library. This bug could be exploited to crash certain OpenAFS servers (volserver, vlserver, ptserver, buserver) or to obtain unauthorized root access to a host running one of these processes. No exploits are known to exist yet. Vendor Alerts: Debian: Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openafs/ libopenafs-dev_1.2.3final2-6_i386.deb Size/MD5 checksum: 1026278 010b72ad1e6611536d8d7af69c37f931 http://security.debian.org/pool/updates/main/o/openafs/ openafs-client_1.2.3final2-6_i386.deb Size/MD5 checksum: 1345484 fead4fb0df392ca7b092d4d53ff96c49 http://security.debian.org/pool/updates/main/o/openafs/ openafs-dbserver_1.2.3final2-6_i386.deb Size/MD5 checksum: 365466 c13358838819b019afc6c3de20678d3e http://security.debian.org/pool/updates/main/o/openafs/ openafs-fileserver_1.2.3final2-6_i386.deb Size/MD5 checksum: 442334 426ab449fee8b0de03b310ba24e4100e http://security.debian.org/pool/updates/main/o/openafs/ openafs-kpasswd_1.2.3final2-6_i386.deb Size/MD5 checksum: 185150 58d88fcef9f9cbf6a54cdfb849dd7229 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2243.html +---------------------------------+ | Package: Kerberos 5 | ----------------------------// | Date: 08-05-2002 | +---------------------------------+ Description: An integer overflow bug has been discovered in the RPC library used by the Kerberos 5 administration system, which is derived from the SunRPC library. This bug could be exploited to gain unauthorized root access to a KDC host. It is believed that the attacker needs to be able to authenticate to the kadmin daemon for this attack to be successful. No exploits are known to exist yet. Vendor Alerts: Debian: PLEASE SEE VENDOR ADVISORY FOR UPDATE Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2247.html Conectiva: PLEASE SEE VENDOR ADVISORY FOR UPDATE Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2262.html +---------------------------------+ | Package: wwwoffle | ----------------------------// | Date: 08-06-2002 | +---------------------------------+ Description: A problem with wwwoffle has been discovered. The web proxy didn't handle input data with negative Content-Length settings properly which causes the processing child to crash. It is at this time not obvious how this can lead to an exploitable vulnerability; however, it's better to be safe than sorry, so here's an update. Vendor Alerts: Debian: Intel IA-32 architecture: http://security.debian.org/pool/updates/main/w/wwwoffle /wwwoffle_2.5c-10.4_i386.deb Size/MD5 checksum: 514316 9130724c8fe2d8af0f55acc1876c06a0 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2251.html +---------------------------------+ | Package: tinyproxy | ----------------------------// | Date: 08-07-2002 | +---------------------------------+ Description: The authors of tinyproxy, a lightweight HTTP proxy, discovered a bug in the handling of some invalid proxy requests. Under some circumstances, an invalid request may result in a allocated memory being freed twice. This can potentially result in the execution of arbitrary code. Vendor Alerts: Debian: Intel IA-32 architecture: http://security.debian.org/pool/updates/main/t/tinyproxy/ tinyproxy_1.4.3-2woody2_i386.deb Size/MD5 checksum: 38758 591c6aa83eb191bd53f4f76caea330a4 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2261.html +---------------------------------+ | Package: Dietlibc | ----------------------------// | Date: 08-08-2002 | +---------------------------------+ Description: An integer overflow bug has been discovered in the RPC library used by dietlibc, a libc optimized for small size, which is derived from the SunRPC library. This bug could be exploited to gain unauthorized root access to software linking to this code. The packages below also fix integer overflows in the calloc, fread and fwrite code. They are also more strict regarding hostile DNS packets that could lead to a vulnerability otherwise. Vendor Alerts: Debian: Intel IA-32 architecture: http://security.debian.org/pool/updates/main/d/ dietlibc/dietlibc-dev_0.12-2.2_i386.deb Size/MD5 checksum: 230532 f671532aae3e1d70726ebd9109e7a1a4 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2264.html Debian Vendor Advisory Update: http://www.linuxsecurity.com/advisories/debian_advisory-2266.html +---------------------------------+ | Package: kqueue | ----------------------------// | Date: 08-05-2002 | +---------------------------------+ Description: If a pipe was created with the pipe(2) system call, and one end of the pipe was closed, registering an EVFILT_WRITE filter on the other end would cause a kernel panic. A common scenario in which this could occur is when a process uses a pipe to communicate with a child and uses kqueue to monitor the pipe, and the child dies shortly after the fork(2) call, before the parent has had time to register the filter. Vendor Alerts: FreeBSD: PLEASE SEE VENDOR ADIVSORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2248.html +---------------------------------+ | Package: ffs | ----------------------------// | Date: 08-05-2002 | +---------------------------------+ Description: A bug in the calculation of the maximum permitted FFS file size allows users to create files that are larger than FreeBSD's virtual memory system can handle. The integer overflows that result when such files are accessed may map filesystem metadata into the user file, permitting access to arbitrary filesystem blocks. Vendor Alerts: FreeBSD: PLEASE SEE VENDOR ADIVSORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2249.html +---------------------------------+ | Package: nfs | ----------------------------// | Date: 08-05-2002 | +---------------------------------+ Description: Certain Linux implementations of NFS produce zero-length RPC messages in some cases. A FreeBSD system running an NFS server may lock up when such clients connect. An attacker in a position to send RPC messages to an affected FreeBSD system can construct a sequence of malicious RPC messages that cause the target system to lock up. Vendor Alerts: FreeBSD: PLEASE SEE VENDOR ADIVSORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2250.html +---------------------------------+ | Package: sendmail | ----------------------------// | Date: 08-05-2002 | +---------------------------------+ Description: As publicized[1] by lumpy and reported in the sendmail website, a local user can stop the mail service (in the sense of "freezing" some operations) by holding an exclusive reading lock on some specific sendmail files (using a system call like flock()). In order to do that, the user must have permission to read the file. One example of such a file is /var/log/sendmail.st, which is world readable by default. Vendor Alerts: Conectiva: PLEASE SEE VENDOR ADIVSORY FOR UPDATE Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2245.html +---------------------------------+ | Package: secureweb | ----------------------------// | Date: 08-05-2002 | +---------------------------------+ Description: The MM library provides an abstraction layer which allows related processes to easily share data. On systems where shared memory or other inter-process communication mechanisms are not available, the MM library will emulate them using temporary files. MM is used in Red Hat Secure Web Server to provide shared memory pools to Apache modules. Vendor Alerts: Red Hat: i386: ftp://updates.redhat.com/other_prod/secureweb/3.2/i386/ secureweb-3.2.8-1.i386.rpm.rhmask 313617c2625c6e3e585d15869b8cefa6 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2255.html +---------------------------------+ | Package: gaim | ----------------------------// | Date: 08-05-2002 | +---------------------------------+ Description: Gaim is an instant messaging client based on the published TOC protocol from AOL. Versions of gaim prior to 0.58 contain a buffer overflow in the Jabber plug-in module. Users of gaim should update to these errata packages containing gaim 0.59 which is not vulnerable to this issue. Vendor Alerts: Red Hat: i386: ftp://updates.redhat.com/7.3/en/os/i386/gaim-0.59-0.7.3.i386.rpm 27d0b02251407982ee2b0c9affac5a93 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2253.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------