+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | September 13th, 2002 Volume 3, Number 37a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilitiaes that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for ethereal, python, cacti, postgresql, kdelibs, krb5, php, wordtrans, gaim, glibc, util-linux. The vendors include Contiva, Debian, Gentoo, Mandrake, and Red Hat. FEATURE: NFS Security - NFS (Network File System) is a widely used and primitive protocol that allows computers to share files over a network. The main problems with NFS are that it relies on the inherently insecure UDP protocol, transactions are not encrypted and hosts and users cannot be easily authenticated. Below we will show a number of issues that one can follow to heal those security problems. http://www.linuxsecurity.com/feature_stories/feature_story-118.html ENCRYPTION + AUTHENTICATION = TRUST You may think people will regard your business as trustworthy because you've got a 128-bit encryption certificate, but encryption does not guarantee trust. Thawte believes in rigorous authentication -> http://www.gothawte.com/rd365.html EnGarde Secure Linux: Editor's Choice & Undisputed Leader Concerned about the next threat? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 +---------------------------------+ | Package: ethereal | ----------------------------// | Date: 09-06-2002 | +---------------------------------+ Description: Ethereal developers discovered a buffer overflow in the ISIS protocol dissector. It may be possible to make Ethereal crash or hang by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. It may be possible to make Ethereal run arbitrary code by exploiting the buffer and pointer problems. Vendor Alerts: Debian: i386: http://security.debian.org/pool/updates/main/e/ethereal/ ethereal_0.8.0-4potato.1_i386.deb Size/MD5 checksum: 520452 c04c0c6253dc91ea8f773cb1607258df Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2330.html +---------------------------------+ | Package: python | ----------------------------// | Date: 09-09-2002 | +---------------------------------+ Description: The bugfix we distributed in DSA 159-1 unfortunately caused Python to sometimes behave improperly when a non-executable file existed earlier in the path and an executable file of the same name existed later in the path. Zack Weinberg fixed this in the Python source. Vendor Alerts: Debian: i386: http://security.debian.org/pool/updates/main/p/python/ python-base_1.5.2-10potato13_i386.deb Size/MD5 checksum: 825292 3fd77f5f0f90ee904908c3af612b9268 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2331.html +---------------------------------+ | Package: cacti | ----------------------------// | Date: 09-09-2002 | +---------------------------------+ Description: A problem in cacti, a PHP based frontend to rrdtool for monitoring systems and services, has been discovered. This could lead into cacti executing arbitrary program code under the user id of the web server. This problem, however, is only persistant to users who already have administrator privileges in the cacti system. Vendor Alerts: Debian: i386: http://security.debian.org/pool/updates/main/c/cacti/ cacti_0.6.7-2.1_all.deb Size/MD5 checksum: 209658 d63265f2a6606893ac9d1e3a6539c20d Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2332.html +---------------------------------+ | Package: postgresql | ----------------------------// | Date: 09-09-2002 | +---------------------------------+ Description: Mordred Labs and others found several vulnerabilities in PostgreSQL, an object-relational SQL database. They are inherited from several buffer overflows and integer overflows. Specially crafted long date and time input, currency, repeat data and long timezone names could cause the PostgreSQL server to crash as well as specially crafted input data for lpad() and rpad(). More buffer/integer overflows were found in circle_poly(), path_encode() and path_addr(). Vendor Alerts: Debian: i386: http://security.debian.org/pool/updates/main/p/postgresql/ postgresql_6.5.3-27.2_i386.deb Size/MD5 checksum: 687334 8b448ec3a6c1e6cd52bca10b5cc48cc3 http://security.debian.org/pool/updates/main/p/postgresql/ postgresql-client_6.5.3-27.2_i386.deb Size/MD5 checksum: 88128 4d3b874a135665ff355001fada0fddef http://security.debian.org/pool/updates/main/p/postgresql/ postgresql-contrib_6.5.3-27.2_i386.deb Size/MD5 checksum: 95942 0ebcebc831c984a7b18d61cbed5875a0 http://security.debian.org/pool/updates/main/p/postgresql/ postgresql-dev_6.5.3-27.2_i386.deb Size/MD5 checksum: 233256 a15449922f2ac541b2ef6c5d108c9e80 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2345.html +---------------------------------+ | Package: kdelibs | ----------------------------// | Date: 09-12-2002 | +---------------------------------+ Description: A vulnerability was discovered in KDE's SSL implementation in that it does not check the basic constraints on a certificate and as a result may accept certificates as valid that were signed by an issuer who is not authorized to do so. This can lead to Konqueror and other SSL- enabled KDE software falling victim to a man-in-the-middle attack without being aware of the invalid certificate. This will trick users into thinking they are on a secure connection with a valid site when in fact the site is different from that which they intended to connect to. Vendor Alerts: Mandrake: i386: PLEASE SEE VENDOR ADVISORY FOR UPDATE Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2337.html +---------------------------------+ | Package: krb5 | ----------------------------// | Date: 09-10-2002 | +---------------------------------+ Description: A vulnerability was discovered in KDE's SSL implementation in that it does not check the basic constraints on a certificate and as a result may accept certificates as valid that were signed by an issuer who is not authorized to do so. This can lead to Konqueror and other SSL- enabled KDE software falling victim to a man-in-the-middle attack without being aware of the invalid certificate. This will trick users into thinking they are on a secure connection with a valid site when in fact the site is different from that which they intended to connect to. Vendor Alerts: Mandrake: i386: PLEASE SEE VENDOR ADVISORY FOR UPDATE Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2339.html +---------------------------------+ | Package: php | ----------------------------// | Date: 09-10-2002 | +---------------------------------+ Description: A fifth parameter was added to PHP's mail() function in 4.0.5 that is not properly sanitized when the server is running in safe mode. This vulnerability would allow local users and, possibly, remote attackers to execute arbitrary commands using shell metacharacters. Vendor Alerts: Mandrake: i386: 8.1/RPMS/php-4.0.6-6.1mdk.i586.rpm 50358bb3a3702b61c57b657e9129fe07 8.1/RPMS/php-common-4.0.6-6.1mdk.i586.rpm f2a81f7b2196082fa46966d8d30efb6a 8.1/RPMS/php-devel-4.0.6-6.1mdk.i586.rpm 8d194449ba33c3dbdab0fb081e7e3ba1 Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2344.html +---------------------------------+ | Package: wordtrans | ----------------------------// | Date: 09-10-2002 | +---------------------------------+ Description: The wordtrans-web package provides an interface to query multilingual dictionaries via a web browser. Guardent discovered vulnerabilities which affect versions of wordtrans up to and including 1.1pre8. Vendor Alerts: Red Hat: i386: ftp://updates.redhat.com/7.3/en/os/i386/ wordtrans-1.1pre8-11.i386.rpm 34c2ee6708276f6b84f179797fdf0bcc ftp://updates.redhat.com/7.3/en/os/i386/ wordtrans-kde-1.1pre8-11.i386.rpm e6cc175c2075fd0817453b1be64f8ff8 ftp://updates.redhat.com/7.3/en/os/i386/ wordtrans-qt-1.1pre8-11.i386.rpm 9f73987fcbf92dbedd7a44f22b39d5e4 ftp://updates.redhat.com/7.3/en/os/i386/ wordtrans-web-1.1pre8-11.i386.rpm 8f7c36661f82413ca0bbedf53d6dcaa9 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2333.html +---------------------------------+ | Package: gaim | ----------------------------// | Date: 09-09-2002 | +---------------------------------+ Description: Gaim is an all-in-one instant messaging client that lets you use a number of messaging protocols such as AIM, ICQ, and Yahoo, all at once. Versions of gaim prior to 0.59.1 contain a bug in the URL handler of the manual browser option. A link can be carefully crafted to contain an arbitrary shell script which will be executed if the user clicks on the link. Vendor Alerts: Red Hat: i386: ftp://updates.redhat.com/7.3/en/os/i386/gaim-0.59.1-0.7.3.i386.rpm b49e9b07d9e449221bd210e5a6bd9474 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2340.html +---------------------------------+ | Package: glibc | ----------------------------// | Date: 09-09-2002 | +---------------------------------+ Description: There is an integer overflow present in the xdr_array() function distributed as part of the Sun Microsystems XDR library. This overflow has been shown to lead to remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations. Vendor Alerts: Gentoo: i386: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2334.html +---------------------------------+ | Package: util-linux | ----------------------------// | Date: 09-12-2002 | +---------------------------------+ Description: Michal Zalewski found a race condition vulnerability[1] in the way chfn locks files when changing /etc/passwd. In order to sucessfully exploit this vulnerability, some administrator interaction is needed and there are some prerequisites to fulfill. Full details can be found in the Bindview advisory[2]. Vendor Alerts: Conectiva: i386: ftp://atualizacoes.conectiva.com.br/8/RPMS/ util-linux-2.11n-4U80_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2346.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------