+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| October 11th, 2002 Volume 3, Number 41a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for tomcat, tkmail, htmail, fetchmail,
buzilla, libkvm, Konqueror, talkd, sendmail, pic, libc, rouge, apache,
hylafax, php, tcpdump, gv, and nss_ldap. The vendors include Conectiva,
Debian, EnGarde, NetBSD, OpenBSD, Red Hat, and SuSE.
Network Security Audit - "Information for the right people at right time
and from anywhere" has been the driving force for providing access to the
most of the vital information on the network of an organization over the
Internet. This is a simple guide on conducting a network security audit,
This article contains points for conducting an audit.
http://www.linuxsecurity.com/feature_stories/feature_story-120.html
** Concerned about the next threat? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice
award thanks to the depth of its security strategy..." Find out what
the other Linux vendors are not telling you.
--> http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
+---------------------------------+
| Package: tomcat | ----------------------------//
| Date: 10-04-2002 |
+---------------------------------+
Description:
A security vulnerability has been found in all Tomcat 4.x releases.
This problem allows an attacker to use a specially crafted URL to
return the unprocessed source code of a JSP page, or, under special
circumstances, a static resource which would otherwise have been
protected by security constraints, without the need for being
properly authenticated.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/contrib/t/tomcat4/
libtomcat4-java_4.0.3-3woody1_all.deb
Size/MD5 checksum: 1133954 913a12f0bc47c3dd7b32416b3ebbd1a5
http://security.debian.org/pool/updates/contrib/t/tomcat4/
tomcat4-webapps_4.0.3-3woody1_all.deb
Size/MD5 checksum: 1385482 395d7482c58aa9e41702e605071792c9
http://security.debian.org/pool/updates/contrib/t/
tomcat4/tomcat4_4.0.3-3woody1_all.deb
Size/MD5 checksum: 126030 904242e382289346c58cf93cfc2ddc9b
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2405.html
+---------------------------------+
| Package: tkmail | ----------------------------//
| Date: 10-04-2002 |
+---------------------------------+
Description:
It has been discovered that tkmail creates temporary files insecurely.
Exploiting this an attacker with local access can easily create and
overwrite files as another user.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/t/tkmail/
tkmail_4.0beta9-8.1_alpha.deb
Size/MD5 checksum: 223450 c052579b2cee968909bc10dfc8cc4d1e
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2415.html
+---------------------------------+
| Package: htmail | ----------------------------//
| Date: 10-08-2002 |
+---------------------------------+
Description:
Ulf Harnhammer discovered a problem in ht://Check's PHP interface.
The PHP interface displays information unchecked which was gathered
from crawled external web servers. This could lead into a cross site
scripting attack if somebody has control over the server responses of
a remote web server which is crawled by ht://Check.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/h/htcheck/
htcheck-php_1.1-1.1_all.deb
Size/MD5 checksum: 42150 8714bfe5188922baf0026d1d09eaf657
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2421.html
+---------------------------------+
| Package: fetchmail | ----------------------------//
| Date: 10-07-2002 |
+---------------------------------+
Description:
Stefan Esser discovered several buffer overflows and a broken boundary
check within fetchmail. If fetchmail is running in multidrop mode these
flaws can be used by remote attackers to crash it or to execute arbitrary
code under the user id of the user running fetchmail. Depending on the
configuration this even allows a remote root compromise.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/f/fetchmail/
fetchmail-common_5.9.11-6.1_all.deb
Size/MD5 checksum: 165264 7256588af225867b680d786915073439
http://security.debian.org/pool/updates/main/f/fetchmail/
fetchmailconf_5.9.11-6.1_all.deb
Size/MD5 checksum: 92606 573f619586119ee527148b3088217218
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2422.html
Red Hat:
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2423.html
+---------------------------------+
| Package: bugzilla | ----------------------------//
| Date: 10-07-2002 |
+---------------------------------+
Description:
Stefan Esser discovered several buffer overflows and a broken boundary
check within fetchmail. If fetchmail is running in multidrop mode these
flaws can be used by remote attackers to crash it or to execute arbitrary
code under the user id of the user running fetchmail. Depending on the
configuration this even allows a remote root compromise.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/b/bugzilla/
bugzilla-doc_2.14.2-0woody2_all.deb
Size/MD5 checksum: 489348 de8dbc7aa0b14d6e798a8cc94760ae19
http://security.debian.org/pool/updates/main/b/bugzilla/
bugzilla_2.14.2-0woody2_all.deb
Size/MD5 checksum: 273932 74eedc712211c3d740291333ffc7e022
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2425.html
+---------------------------------+
| Package: libkvm | ----------------------------//
| Date: 10-07-2002 |
+---------------------------------+
Description:
The kvm(3) library provides a uniform interface for accessing kernel
virtual memory images, including live systems and crash dumps. Access to
live systems is via /dev/mem and /dev/kmem. Memory can be read and
written, kernel symbol addresses can be looked up efficiently, and
information about user processes can be gathered.
Vendor Alerts:
FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/
SA-02:39/libkvm.patch
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2430.html
+---------------------------------+
| Package: Konqueror | ----------------------------//
| Date: 10-07-2002 |
+---------------------------------+
Description:
A vulnerability was discovered in Konqueror's cross site scripting
protection, in that it fails to initialize the domains on sub-(i)frames
correctly. Because of this, javascript may access any foreign subframe
which is defined in the HTML source, which can be used to steal cookies
from the client and allow other cross-site scripting attacks. This also
affects other KDE software that uses the KHTML rendering engine.
Vendor Alerts:
Mandrake:
PLEASE SEE VENDORY ADVISORY FOR UPDATE
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2429.html
+---------------------------------+
| Package: talkd | ----------------------------//
| Date: 10-08-2002 |
+---------------------------------+
Description:
Rogue talk client is able to cause talkd to overrun the buffer, and could
be able to compromise root privilege of the machine running talkd. Actual
attack script is yet to be found.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDORY ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2416.html
+---------------------------------+
| Package: sendmail | ----------------------------//
| Date: 10-08-2002 |
+---------------------------------+
Description:
If smrsh (sendmail restricted shell) is in use with sendmail, local user
can bypass access restrictions imposed by smrsh.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDORY ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2417.html
+---------------------------------+
| Package: pic | ----------------------------//
| Date: 10-08-2002 |
+---------------------------------+
Description:
pic(1) had a buffer overrun in argument handling. The problem could be
remotely exploited depending on lpd(8) setup.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDORY ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2419.html
+---------------------------------+
| Package: libc/libresolve | ----------------------------//
| Date: 10-04-2002 |
+---------------------------------+
Description:
BIND-based DNS resolver did not allocate a sufficiently large receive
memory buffer. Large DNS responses (even if valid) could overrun the
buffer, or could confuse DNS response parsing. NetBSD uses BIND4-based DNS
resolver code in libc/libresolv, and is vulnerable. The release of this
advisory has been postponed for coordination with third party.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDORY ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2418.html
+---------------------------------+
| Package: rogue | ----------------------------//
| Date: 10-08-2002 |
+---------------------------------+
Description:
There are several buffer overflows in the processing of saved games
when restarting rogue(6), that allow one to obtain group "games."
Vendor Alerts:
NetBSD:
PLEASE SEE VENDORY ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2420.html
+---------------------------------+
| Package: OpenBSD | ----------------------------//
| Date: 10-08-2002 |
+---------------------------------+
Description:
Insufficient boundary checks in the select call allow an attacker to
overwrite kernel memory and execute arbitrary code in kernel context.
Traditionally, the size parameter for the select system call is a
signed integer. As a result, the kernel evaluates the upper boundary
checks in a signed context, so that an attacker can circumvent when
using certain negative values. When the kernel copies the data for
the select system call from userland the size is used as an unsigned
integer which causes kernel memory to be overwritten with arbitrary
data.
Vendor Alerts:
OpenBSD:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/
common/014_scarg.patch
OpenBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/openbsd_advisory-2279.html
+---------------------------------+
| Package: Apache | ----------------------------//
| Date: 10-07-2002 |
+---------------------------------+
Description:
There is a vulnerability regarding apache's use of shared memory
(SHM). An attacker which is able to execute code under the
webserver's UID is able to send arbitrary processes an USR1 signal as
root. If untreated, the default for this signal is to terminate the
process.
Vendor Alerts:
Conectiva:
ftp://atualizacoes.conectiva.com.br/8/RPMS/
apache-1.3.26-1U8_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
apache-devel-1.3.26- 1U8_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
apache-doc-1.3.26-1U8_4cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2411.html
EnGarde:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
i386/apache-1.3.27-1.0.32.i386.rpm
MD5 Sum: 63b00c465bb617f3e08a04154a8ffea7
i686/apache-1.3.27-1.0.32.i686.rpm
MD5 Sum: aa9ed8ab148de56f696ee6f2a52a5f77
EnGarde Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2414.html
+---------------------------------+
| Package: hylafax | ----------------------------//
| Date: 10-04-2002 |
+---------------------------------+
Description:
The logging function of faxgetty prior version 4.1.3 was vulnerable to a
format string bug when handling the TSI value of a received facsimile.
This bug could easily be used to trigger a denial-of-service attack or to
execute arbitrary code remotely.
Vendor Alerts:
SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n4/
hylafax-4.1-285.i386.patch.rpm
3115ebdb9e65027f35809463c5e6ae7e
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n4/
hylafax-4.1-285.i386.rpm
07b0f2d015b0fd83c5bb9be548e7b8fb
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2412.html
+---------------------------------+
| Package: mod_php | ----------------------------//
| Date: 10-04-2002 |
+---------------------------------+
Description:
PHP is a well known and widely used web programming language. If a PHP
script runs in "safe mode" several restrictions are applied to it
including limits on execution of external programs. An attacker can pass
shell meta-characters or sendmail(8) command line options via the 5th
argument (introduced in version 4.0.5) of the mail() function to execute
shell commands or control the behavior of sendmail(8).
Vendor Alerts:
SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/
mod_php4-4.1.0-257.i386.patch.rpm
00ce030f55f4d0af32528402a5cbe269
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/
mod_php4-4.1.0-257.i386.rpm
3399c5b577464a282c85a6fcb56be915
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2413.html
+---------------------------------+
| Package: nss_ldap | ----------------------------//
| Date: 10-04-2002 |
+---------------------------------+
Description:
Updated nss_ldap packages are now available for Red Hat Linux 6.2, 7, 7.1,
7.2, and 7.3. These updates fix a potential buffer overflow which can
occur when nss_ldap is set to configure itself using information stored in
DNS, a format string bug in logging functions used in pam_ldap, and to
properly handle truncated DNS responses.
Vendor Alerts:
Red Hat:
ftp://updates.redhat.com/7.3/en/os/i386/nss_ldap-189-4.i386.rpm
8dc0d40503cbc09a55a111fc53ec42ba
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2409.html
+---------------------------------+
| Package: tcpdump | ----------------------------//
| Date: 10-04-2002 |
+---------------------------------+
Description:
Updated tcpdump, libpcap, and arpwatch packages are available for Red Hat
Linux 6.2 and 7.x. These updates close a buffer overflow when handling NFS
packets.
Vendor Alerts:
Red Hat:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2410.html
+---------------------------------+
| Package: gv | ----------------------------//
| Date: 10-04-2002 |
+---------------------------------+
Description:
Updated packages for gv and ggv fix a local buffer overflow when
reading malformed PDF or PostScript(R) files.
Vendor Alerts:
Red Hat:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2432.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
