+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| August 16th, 2002 Volume 3, Number 33a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for cvs, mailman, hylafax,
interchange, l2tpd, xinetd, glibc, modssl, chfn, libpng, bind, xchat,
shareutils, tcl/tk, mm, and ipppd. The vendors include Caldera, Debian,
Gentoo, Mandrake, OpenBSD, Red Hat, SuSE, Trustix, and Yellow Dog.
* Developing with open standards? * Demanding High Performance?
Catch the Oracle9i JDeveloper wave now and check out how built-in
profilers and CodeCoach make your Java code tighter and faster than ever
before.
--> Download your FREE copy of Oracle9i JDeveloper Today.
--> http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=oracle4
FEATURE: Centralized File-Integrity With Samhain Part I There is no silver
bullet in security; rather, due diligence and knowledge are the best
foundations for solid management of risk. The focus of this document is
distinctively on workstations: those located in a corporate environment,
those situated at the house, and the myriad of situations that fall
somewhere in-between.
http://www.linuxsecurity.com/feature_stories/feature_story-116.html
)) FREE Apache SSL Guide from Thawte ((
Are you worried about your web server security? Click here to get a
FREE Thawte Apache SSL Guide and find the answers to all your Apache
SSL security needs.
----> http://www.gothawte.com/rd363.html <-----
+---------------------------------+
| Package: cvs | ----------------------------//
| Date: 08-06-2002 |
+---------------------------------+
Description:
There is a locally exploitable vulnerability in the cvsd program.
Vendor Alerts:
Caldera:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/
CSSA-2002-035.0/RPMS/
cvs-1.11-8.i386.rpm
446921ba85f2f865d698060ab344d189
cvs-doc-ps-1.11-8.i386.rpm
11ddbffdbf9310b24364b2b91d851acc
Caldera Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-2267.html
+---------------------------------+
| Package: mailman | ----------------------------//
| Date: 08-16-2002 |
+---------------------------------+
Description:
A cross-site scripting vulnerability was discovered in mailman, a
software to manage electronic mailing lists. When a properly crafted
URL is accessed with Internet Explorer (other browsers don't seem to
be affected), the resulting webpage is rendered similar to the real
one, but the javascript component is executed as well, which could be
used by an attacker to get access to sensitive information.
Vendor Alerts:
Debian Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/m/mailman/
mailman_1.1-10.1_i386.deb
Size/MD5 checksum: 328680 58aab5cf2c13a03952f22097c7224e01
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2268.html
+---------------------------------+
| Package: hylafax | ----------------------------//
| Date: 08-12-2002 |
+---------------------------------+
Description:
A set of problems have been discovered in Hylafax, a flexible
client/server fax software distributed with many GNU/Linux
distributions.
Vendor Alerts:
Debian Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/h/hylafax/
hylafax-client_4.0.2-14.3_i386.deb
Size/MD5 checksum: 398406 9e30d17b4645472b1b04bab0962c1080
http://security.debian.org/pool/updates/main/h/hylafax/
hylafax-server_4.0.2-14.3_i386.deb
Size/MD5 checksum: 877434 1ae774e2115c983eed9fda2b6c19aa84
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2277.html
+---------------------------------+
| Package: interchange | ----------------------------//
| Date: 08-12-2002 |
+---------------------------------+
Description:
A problem has been discovered in Interchange, an e-commerce and
general HTTP database display system, which can lead to an attacker
being able to read any file to which the user of the Interchange
daemon has sufficient permissions, when Interchange runs in "INET
mode" (internet domain socket).
Vendor Alerts:
Debian Intel IA-32 architecture
http://security.debian.org/pool/updates/main/i/interchange/
interchange_4.8.3.20020306-1.woody.1_i386.deb
Size/MD5 checksum: 852744 7a40058ecc9119c740826b3dbc9660d0
http://security.debian.org/pool/updates/main/i/interchange/
libapache-mod-interchange_4.8.3.20020306-1.woody.1_i386.deb
Size/MD5 checksum: 13156 234c7d614aa28de64d5d33dcb49e654d
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2280.html
+---------------------------------+
| Package: l2tpd | ----------------------------//
| Date: 08-16-2002 |
+---------------------------------+
Description:
Current versions of l2tpd, a layer 2 tunneling client/server program,
forgot to initialize the random generator which made it vulnerable
since all generated random number were 100% guessable. When dealing
with the size of the value in an attribute value pair, too many bytes
were able to be copied, which could lead into the vendor field being
overwritten.
Vendor Alerts:
Debian Intel IA-32 architecture
http://security.debian.org/pool/updates/
main/l/l2tpd/l2tpd_0.67-1.1_i386.deb
Size/MD5 checksum: 88130 bbd745997296fd61edc9777de121c9a5
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2281.html
+---------------------------------+
| Package: xinetd | ----------------------------//
| Date: 08-13-2002 |
+---------------------------------+
Description:
Solar Designer found a vulnerability in xinetd, a replacement for the
BSD derived inetd. File descriptors for the signal pipe introduced
in version 2.3.4 are leaked into services started from xinetd. The
descriptors could be used to talk to xinetd resulting in crashing it
entirely. This is usually called a denial of service.
Vendor Alerts:
Debian Intel IA-32 architecture
http://security.debian.org/pool/updates/
main/x/xinetd/xinetd_2.3.4-1.2_i386.deb
Size/MD5 checksum: 114380 82e2f7248fcec69f1a4390d4e22c799d
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2282.html
Gentoo
http://www.linuxsecurity.com/advisories/other_advisory-2285.html
+---------------------------------+
| Package: glibc | ----------------------------//
| Date: 08-13-2002 |
+---------------------------------+
Description:
An integer overflow bug has been discovered in the RPC library used
by GNU libc, which is derived from the SunRPC library. This bug
could be exploited to gain unauthorized root access to software
linking to this code. The packages below also fix integer overflows
in the malloc code. They also contain a fix from Andreas Schwab to
reduce linebuflen in parallel to bumping up the buffer pointer in the
NSS DNS code.
Vendor Alerts:
Debian Intel IA-32 architecture
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2283.html
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2286.html
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2287.html
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2284.html
+---------------------------------+
| Package: modssl | ----------------------------//
| Date: 08-08-2002 |
+---------------------------------+
Description:
Frank Denis discovered an off-by-one error in mod_ssl dealing
with the handling of older configuration directorives (the
rewrite_command hook). A malicious user could use a
specially-crafted .htaccess file to execute arbitrary commands as the
apache user or execute a DoS against the apache child processes.
Vendor Alerts:
Mandrake Linux 8.2:
8.2/RPMS/mod_ssl-2.8.7-3.1mdk.i586.rpm
406eee7d9607cf40f5cea3376fe38697
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2270.html
Yellow Dog Linux:
http://www.linuxsecurity.com/advisories/other_advisory-2275.html
+---------------------------------+
| Package: chfn | ----------------------------//
| Date: 08-08-2002 |
+---------------------------------+
Description:
Michal Zalewski found a vulnerability in the util-linux package with
the chfn utility. This utility allows users to modify some
information in the /etc/passwd file, and is installed setuid root.
Using a carefully crafted attack sequence, an attacker can exploit a
complex file locking and modification race that would allow them to
make changes to the /etc/passwd file. To successfully exploit this
vulnerability and obtain privilege escalation, there is a need for
some administrator interaction, and the password file must over over
4kb in size; the attacker's entry cannot be in the last 4kb of the
file.
Vendor Alerts:
Mandrake Linux 8.2:
8.2/RPMS/losetup-2.11n-4.3mdk.i586.rpm
f137a274c2969ca3b893e96902dee893
8.2/RPMS/mount-2.11n-4.3mdk.i586.rpm
c074a07a7f3c3fd92b0be2ebd02dff93
8.2/RPMS/util-linux-2.11n-4.3mdk.i586.rpm
420c1537cb8260f984125fd6311dc3d1
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2269.html
+---------------------------------+
| Package: libpng | ----------------------------//
| Date: 08-13-2002 |
+---------------------------------+
Description:
A buffer overflow was found in the in the progressive reader of the
PNG library when the PNG datastream contains more IDAT data than
indicated by the IHDR chunk. These deliberately malformed
datastreams would crash applications thus potentially allowing an
attacker to execute malicious code. Many programs make use of the
PNG libraries, including web browsers. This overflow is corrected in
versions 1.0.14 and 1.2.4 of the PNG library.
Vendor Alerts:
Mandrake Linux 8.2:
8.2/RPMS/libpng3-1.2.4-3.1mdk.i586.rpm
a356a7d29a489d4a4cf69948820818cc
8.2/RPMS/libpng3-devel-1.2.4-3.1mdk.i586.rpm
d82469cdfdbbab17d95920646f9ab128
8.2/RPMS/libpng3-static-devel-1.2.4-3.1mdk.i586.rpm
300ca08369f671487bb8c3da92880351
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2288.html
+---------------------------------+
| Package: bind | ----------------------------//
| Date: 08-15-2002 |
+---------------------------------+
Description:
The error condition can be remotely exploited by a special DNS
packet. This can only be used to create a Denial of Service on the
server; the error condition is correctly detected, so it will not
allow an attacker to execute arbitrary code on the server.
Vendor Alerts:
Mandrake Linux 8.2:
8.2/RPMS/bind-9.2.1-2.2mdk.i586.rpm
c871ab517a1f789a134337dc580ab803
8.2/RPMS/bind-devel-9.2.1-2.2mdk.i586.rpm
15cdebfe14d8a213101d758137364c72
8.2/RPMS/bind-utils-9.2.1-2.2mdk.i586.rpm
551bb255ed07bb0b257875190c866b42
8.2/RPMS/caching-nameserver-8.1-3.1mdk.noarch.rpm
18145fb072aaad5a7272a00ea4e0c411
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2289.html
Red Hat i386:
ftp://updates.redhat.com/7.3/en/os/i386/bind-9.2.1-1.7x.2.i386.rpm
8636bdf02a5c862a8e7773447ced2a4c
ftp://updates.redhat.com/7.3/en/os/i386/
bind-devel-9.2.1-1.7x.2.i386.rpm
35007eaef20eb645d6ca7c3e02cb10d8
ftp://updates.redhat.com/7.3/en/os/i386/
bind-utils-9.2.1-1.7x.2.i386.rpm
b467c81cea2c6653df6bc816401b598c
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2271.html
Yellow Dog Linux:
http://www.linuxsecurity.com/advisories/other_advisory-2273.html
+---------------------------------+
| Package: xchat | ----------------------------//
| Date: 08-15-2002 |
+---------------------------------+
Description:
In versions of the xchat IRC client prior to version 1.8.9, xchat
does not filter the response from an IRC server when a /dns query is
executed. xchat resolves hostnames by passing the configured
resolver and hostname to a shell, so an IRC server may return a
malicious response formatted so that arbitrary commands are executed
with the privilege of the user running xchat.
Vendor Alerts:
Mandrake Linux 8.2:
8.2/RPMS/xchat-1.8.9-1.1mdk.i586.rpm
07acd74eb2ba9e6e993c080f3f62d1db
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2290.html
+---------------------------------+
| Package: shareutils | ----------------------------//
| Date: 08-15-2002 |
+---------------------------------+
Description:
The uudecode utility creates output files without checking to see if
it is about to write to a symlink or pipe. This could be exploited
by a local attacker to overwrite files or lead to privilege
escalation if users decode data into share directories, such as /tmp.
This update fixes this vulnerability by checking to see if the
destination output file is a symlink or pipe.
Vendor Alerts:
Mandrake Linux 8.2:
8.2/RPMS/sharutils-4.2.1-8.1mdk.i586.rpm
933544c2edfed6f26eb5e6a9105dd3f1
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2291.html
+---------------------------------+ (OpenBSD)
| Package: boundary condition | ----------------------------//
| Date: 08-14-2002 |
+---------------------------------+
Description:
Local users can obtain complete system privileges and circumvent the
extra security measures provided by the securelevel system.
Vendor Alerts:
OpenBSD:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/014_scarg.patch
OpenBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/openbsd_advisory-2279.html
+---------------------------------+
| Package: mm | ----------------------------//
| Date: 08-10-2002 |
+---------------------------------+
Description:
The MM library provides an abstraction layer which allows related
processes to share data easily. On systems where shared memory or
other inter-process communication mechanisms are not available, the
MM library emulates them using temporary files. MM is used in [Yellow
Dog] Linux to providing shared memory pools to Apache modules.
Versions of MM up to and including 1.1.3 open temporary files in an
unsafe manner, allowing a malicious local user to cause an
application which uses MM to overwrite any file to which it has write
access.
Vendor Alerts:
Yellow Dog Linux:
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
ppc/mm-1.1.3-8.2.3a.ppc.rpm
730e6a5ed0ecd367bdef2ebb4fa8c0ca
Yellow Dog Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2274.html
+---------------------------------+
| Package: tcl/tk | ----------------------------//
| Date: 08-10-2002 |
+---------------------------------+
Description:
The tcl/tk package searched for its libraries in the current working
directory before other directories, which could allow local users to
execute arbitrary code by writing Trojan horse library that is under
a user-controlled directory.
Vendor Alerts:
Red Hat Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2278.html
+---------------------------------+
| Package: ipppd | ----------------------------//
| Date: 08-10-2002 |
+---------------------------------+
Description:
The i4l package contains several programs for ISDN maintenance and
connectivity on Linux. The ipppd program which is part of the package
contained various buffer overflows and format string bugs. Since
ipppd is installed setuid to root and executable by users of group
'dialout' this may allow attackers with appropriate group membership
to execute arbitrary commands as root.
Vendor Alerts:
SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/
7.3/n1/i4l-2002.7.23-0.i386.rpm
1d5fff19d48eb1b0652c21c139fdf53d
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2276.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
