+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| October 18th, 2002 Volume 3, Number 42a |
+----------------------------------------------------------------+
=20
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
=20
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week. =20
It includes pointers to updated packages and descriptions of each
vulnerability.
=20
This week, advisories were released for heatbeat, syslog-ng, gv, heimdal,
unzip, tar, apache, squirrelmail, dvips, xinetd, Red Hat kernal, nss_ldap,
sendmail, tomcat, fetchmail, XFree86, glibc, postgresql, python, and ppp. =
=20
Then vendors include Conectiva, Debian, EnGarde, Gentoo, Mandrake, Red
Hat, SuSE and Trustix.
** ENCRYPTION + AUTHENTICATION =3D TRUST **
You may think people will regard your business as trustworthy because
you've got a 128-bit encryption certificate, but encryption does not
guarantee trust. Thawte believes in rigorous authentication: =20
Download our FREE Authentication Guide: =20
http://www.gothawte.com/rd409.html=20
Book Review: Tracking Hackers by Lance Spitzner is fantastically written.
The detailed definitions and descriptions make it a great book even for
the honeypot novice to understand. It grabs your attention right from the
very beginning, holds it to the end and leaves you wanting more.
http://www.linuxsecurity.com/feature_stories/feature_story-121.html=20
=20
=20
Concerned about the next threat? EnGarde is the undisputed winner! =20
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=3Dengarde2=20
=20
Network Security Audit - "Information for the right people at right time
and from anywhere" has been the driving force for providing access to the
most of the vital information on the network of an organization over the
Internet. This is a simple guide on conducting a network security audit,
This article contains points for conducting an audit.
http://www.linuxsecurity.com/feature_stories/feature_story-120.html=20
=20
+---------------------------------+
| Package: heatbeat | ----------------------------//
| Date: 10-14-2002 |
+---------------------------------+ =20
Description:=20
Nathan Wallwork discovered a buffer overflow in heartbeat, a subsystem for
High-Availability Linux. A remote attacker could send a specially crafted
TCP packet that overflows a buffer, leaving heartbeat to execute arbitrary
code as root.
Vendor Alerts:=20
Debian: =20
http://security.debian.org/pool/updates/main/h/heartbeat/l=20
directord_0.4.9.0l-7.2_all.deb=20
Size/MD5 checksum: 33118 27d3073cade1d823e0405755b9b4ebd1=20
=20
Debian Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/debian_advisory-2443.html=20
=20
SuSE:=20
SuSE Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/suse_advisory-2447.html=20
+---------------------------------+
| Package: syslog-ng | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+ =20
Description:=20
P=E9ter H=F6ltzl discovered a problem in the way syslog-ng handles macro
expansion. When a macro is expanded a static length buffer is used
accompanied by a counter. However, when constant chharacters are
appended, the counter is not updated properly, leading to incorrect
boundary checking. An attacker may be able to use specially crafted log
messages inserted via UDP which overflows the buffer.
Vendor Alerts:=20
Debian: =20
http://security.debian.org/pool/updates/main/s/syslog-ng/=20
syslog-ng_1.4.0rc3-3.2_i386.deb=20
Size/MD5 checksum: 116240 720bb0fb394521f3c4b9de13ca3455e4=20
=20
Debian Vendor Advisory: =20
http://www.linuxsecurity.com/advisories/debian_advisory-2450.html=20
=20
Gentoo:=20
Gentoo Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2441.html=20
=20
EnGarde:=20
i386/syslog-ng-1.4.10-1.0.25.i386.rpm=20
MD5 Sum: ae0c785a072f4545f6c0abfee9760090=20
i686/syslog-ng-1.4.10-1.0.25.i686.rpm=20
MD5 Sum: 4ec459e0b58e99ba043a29c977d18293=20
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/=20
EnGarde Vendor Advisory: =20
http://www.linuxsecurity.com/advisories/other_advisory-2458.html
=20
+---------------------------------+
| Package: gv | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+ =20
Description:=20
Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer
for X11. This problem is triggered by scanning the PostScript file and
can be exploited by an attacker sending a malformed PostScript or PDF
file. The attacker is able to cause arbitrary code to be run with the
privileges of the victim.
Vendor Alerts:=20
Debian: =20
http://security.debian.org/pool/updates/main/g/gv/=20
gv_3.5.8-17.1_i386.deb=20
Size/MD5 checksum: 226416 4f44d7df45cec7b132c1c7c9a6ba84ea=20
Debian Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/debian_advisory-2455.html=20
=20
=20
+---------------------------------+
| Package: heimdal | ----------------------------//
| Date: 10-18-2002 |
+---------------------------------+ =20
Description:=20
The SuSE Security Team has reviewed critical parts of the Heimdal package
such as the kadmind and kdc server. While doing so several potential
buffer overflows and other bugs have been uncovered and fixed. Remote
attackers can probably gain remote root access on systems without fixes.
Since these services usually run on authentication servers these bugs are
considered very serious.
Vendor Alerts:=20
Debian: =20
http://security.debian.org/pool/updates/main/h/heimdal/=20
heimdal-kdc_0.2l-7.4_i386.deb=20
Size/MD5 checksum: 86940 6d6c03223d9c37acd4ebcbad72a95fa3=20
=20
http://security.debian.org/pool/updates/main/h/heimdal/=20
heimdal-servers_0.2l-7.4_i386.deb=20
Size/MD5 checksum: 171072 db95cb63bfa435c08c1964546c6140fd=20
http://security.debian.org/pool/updates/main/h/heimdal/=20
heimdal-servers-x_0.2l-7.4_i386.deb=20
Size/MD5 checksum: 61838 5053e97991ddd840179d2606e34c1eac=20
=20
Debian Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/debian_advisory-2460.html=20
=20
Gentoo:=20
Gentoo Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2445.html=20
=20
+---------------------------------+
| Package: unzip | ----------------------------//
| Date: 10-17-2002 |
+---------------------------------+ =20
Description:=20
A directory traversal vulnerability was discovered in unzip version 5.42
and earlier that allows attackers to overwrite arbitrary files during
extraction of the archive by using a ".." (dot dot) in an extracted
filename, as well as prefixing filenames in the archive with "/" (slash).
Vendor Alerts:=20
Mandrake Linux: =20
8.2/RPMS/unzip-5.50-2.1mdk.i586.rpm=20
33bf02cef205d3b4d4e66c49618a67cf =20
=20
http://www.mandrakesecure.net/en/ftp.php=20
Mandrake Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/mandrake_advisory-2436.html=20
=20
=20
+---------------------------------+
| Package: tar | ----------------------------//
| Date: 10-11-2002 |
+---------------------------------+ =20
Description: =20
A directory traversal vulnerability was discovered in GNU tar version
1.13.25 and earlier that allows attackers to overwrite arbitrary files
during extraction of the archive by using a ".." (dot dot) in an extracted
filename.
Vendor Alerts:=20
Mandrake Linux: =20
8.0/RPMS/tar-1.13.25-6.2mdk.i586.rpm=20
af16a2a8baa2102e329a9544e5493ab6 =20
=20
http://www.mandrakesecure.net/en/ftp.php=20
Mandrake Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/mandrake_advisory-2437.html=20
=20
=20
+---------------------------------+
| Package: apache | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+ =20
Description:=20
A number of vulnerabilities were discovered in Apache versions prior to
1.3.27. The first is regarding the use of shared memory (SHM) in Apache. =
=20
An attacker that is able to execute code as the UID of the webserver
(typically "apache") is able to send arbitrary processes a USR1 signal as
root. Using this vulnerability, the attacker can also cause the Apache
process to continously span more children processes, thus causing a local
DoS. Another vulnerability was discovered by Matthew Murphy regarding a
cross site scripting vulnerability in the standard 404 error page. =20
Finally, some buffer overflows were found in the "ab" benchmark program
that is included with Apache.
Vendor Alerts:=20
Mandrake Linux: =20
PLEASE SEE VENDOR ADVISORY FOR UPDATE=20
Mandrake Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/mandrake_advisory-2454.html=20
=20
Gentoo:=20
Gentoo Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2452.html
Trustix:=20
Trustix Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2464.html=20
=20
+---------------------------------+
| Package: squirrelmail | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+ =20
Description:=20
Cross-site scripting vulnerabilities allow remote attackers to execute
script as other web users via addressbook.php, options.php, search.php, or
help.php. It is possible for remote attackers to determine the absolute
pathname of the options.php script via a malformed optpage file argument,
which generates an error message when the file cannot be included in the
script.
=20
Vendor Alerts:=20
Red Hat Linux: =20
PLEASE SEE VENDOR ADVISORY FOR UPDATE=20
Red Hat Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/redhat_advisory-2438.html=20
=20
=20
+---------------------------------+
| Package: dvips | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+ =20
Description:=20
A vulnerability has been found in dvips which uses the system() function
insecurely when managing fonts.
Vendor Alerts:=20
Red Hat Linux: =20
PLEASE SEE VENDOR ADVISORY FOR UPDATE=20
Red Hat Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/redhat_advisory-2449.html=20
=20
=20
=20
+---------------------------------+
| Package: xinetd | ----------------------------//
| Date: 10-14-2002 |
+---------------------------------+ =20
Description:=20
Versions 2.3.4 through 2.3.7 of Xinetd leak file descriptors for the
signal pipe to services that are launched by xinetd. This could allow an
attacker to execute a DoS attack via the pipe.
Vendor Alerts:=20
Red Hat Linux: =20
ftp://updates.redhat.com/7.3/en/os/i386/xinetd-2.3.9-0.73.i386.rpm=20
ef5508fb220839e60e21840a565972cc=20
Red Hat Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/redhat_advisory-2453.html=20
=20
=20
=20
+---------------------------------+
| Package: kernel | ----------------------------//
| Date: 10-14-2002 |
+---------------------------------+ =20
Description:=20
Updated kernel fixes local security issues and provides several updated
drivers to support newer hardware and fix bugs under Red Hat Linux 7.3.
Vendor Alerts:=20
Red Hat Linux: =20
PLEASE SEE VENDOR ADVISORY FOR UPDATE=20
Red Hat Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/redhat_advisory-2461.html=20
=20
Trustix:=20
Trustix Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2463.html=20
=20
+---------------------------------+
| Package: nss_ldap | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+ =20
Description:=20
When versions of nss_ldap prior to nss_ldap-198 are configured without a
value for the "host" setting, nss_ldap will attempt to configure itself by
using SRV records stored in DNS. When parsing the results of the DNS
query, nss_ldap does not check that the data returned by the server
willfit into an internal buffer, leaving it vulnerable to a buffer
overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2002-0825 to this issue.
=20
Vendor Alerts:=20
Gentoo Linux:=20
PLEASE SEE VENDOR ADVISORY FOR UPDATE=20
Gentoo Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2446.html=20
=20
=20
=20
+---------------------------------+
| Package: sendmail | ----------------------------//
| Date: 10-13-2002 |
+---------------------------------+ =20
Description:=20
It is possible for an attacker to bypass the restrictions imposed by The
Sendmail Consortium's Restricted Shell (SMRSH) and execute a binary of his
choosing by inserting a special character sequence into his .forward file.
Vendor Alerts:=20
Gentoo Linux:=20
PLEASE SEE VENDOR ADVISORY FOR UPDATE=20
Gentoo Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2448.html=20
=20
Conectiva:=20
Conectiva Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2457.html=20
=20
+---------------------------------+
| Package: tomcat | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+ =20
Description:=20
A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
crafted URL to return the unprocessed source of a JSP page, or, under
special circumstances, a static resource which would otherwise have been
protected by security constraint, without the need for being properly
authenticated. This is based on a variant of the exploit that was
disclosed on 09/24/2002.
Vendor Alerts:=20
Gentoo Linux:=20
PLEASE SEE VENDOR ADVISORY FOR UPDATE=20
Gentoo Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2451.html=20
=20
=20
+---------------------------------+
| Package: fetchmail | ----------------------------//
| Date: 10-16-2002 |
+---------------------------------+ =20
Description:=20
Stefan Esser discovered[1] two vulnerabilities in fetchmail functions
responsible for parsing message headers. These vulnerabilities are present
in unpatched versions of fetchmail prior to 6.1.0 and can be exploited
only if it is running in "multidrop" mode.
Vendor Alerts:=20
Conectiva Linux: =20
ftp://atualizacoes.conectiva.com.br/8/RPMS/=20
fetchmail-5.9.12-1U80_2cl.i386.rpm =20
ftp://atualizacoes.conectiva.com.br/8/RPMS/=20
fetchmailconf-5.9.12-1U80_2cl.i386.rpm =20
ftp://atualizacoes.conectiva.com.br/8/RPMS/=20
fetchmail-doc-5.9.12-1U80_2cl.i386.rpm =20
Conectiva Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2456.html=20
=20
=20
+---------------------------------+
| Package: XFree86 | ----------------------------//
| Date: 10-16-2002 |
+---------------------------------+ =20
Description:=20
This advisory addresses several vulnerabilities[1] in XFree86-4.0.1 in
Conectiva Linux 6.0 and XFree86-4.0.3 in Conectiva Linux 7.0. Conectiva
Linux 8 was previously updated[2] and already contains these fixes.
=20
Vendor Alerts:=20
Conectiva Linux: =20
PLEASE SEE VENDOR ADVISORY FOR UPDATE=20
Conectiva Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2459.html=20
=20
=20
=20
+---------------------------------+
| Package: glibc | ----------------------------//
| Date: 10-16-2002 |
+---------------------------------+ =20
Description:=20
The glibc package contains standard libraries which are used by multiple
programs on the system. In order to save disk space and memory, as well as
to make upgrading easier, common system code is kept in one place and
shared between programs. This particular package contains the most
important sets of shared libraries: the standard C library and the
standard math library. Without these two libraries, a Linux system will
not function. The glibc package also contains national language (locale)
support and timezone databases.
Vendor Alerts:=20
Trustix Linux: =20
PLEASE SEE VENDOR ADVISORY FOR UPDATE=20
Trustix Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2465.html=20
=20
=20
=20
+---------------------------------+
| Package: postgresql | ----------------------------//
| Date: 10-17-2002 |
+---------------------------------+ =20
Description:=20
Patched to fix the lacking of several integer checks in the code, and the
existance of several buffer overflow issues.
Vendor Alerts:=20
Trustix Linux: =20
PLEASE SEE VENDOR ADVISORY FOR UPDATE=20
Trustix Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2466.html=20
=20
=20
=20
=20
+---------------------------------+
| Package: python | ----------------------------//
| Date: 10-17-2002 |
+---------------------------------+ =20
Description:=20
Zack Weinberg discovered an insecure use of a temporary file in
os._execvpe from os.py. The mpelementation uses a predictable name which
could lead to execution of arbitrary code.
Vendor Alerts:=20
Trustix Linux: =20
PLEASE SEE VENDOR ADVISORY FOR UPDATE=20
Trustix Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2468.html=20
=20
=20
=20
+---------------------------------+
| Package: ppp | ----------------------------//
| Date: 10-17-2002 |
+---------------------------------+ =20
Description:=20
Gerald Dachs found a problem in the /etc/pam.d configuration file, and his
fix has been implemented in the TSL 1.5 package.
Vendor Alerts:=20
Trustix Linux: =20
PLEASE SEE VENDOR ADVISORY FOR UPDATE=20
Trustix Vendor Advisory:=20
http://www.linuxsecurity.com/advisories/other_advisory-2469.html=20
=20
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
