+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| October 18th, 2002 Volume 3, Number 42a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
It appears the previous version of this issue had difficulty with locale.
Our apologies.
This week, advisories were released for heatbeat, syslog-ng, gv, heimdal,
unzip, tar, apache, squirrelmail, dvips, xinetd, Red Hat kernal, nss_ldap,
sendmail, tomcat, fetchmail, XFree86, glibc, postgresql, python, and ppp.
Then vendors include Conectiva, Debian, EnGarde, Gentoo, Mandrake, Red
Hat, SuSE and Trustix.
** ENCRYPTION + AUTHENTICATION =3D TRUST **
You may think people will regard your business as trustworthy because
you've got a 128-bit encryption certificate, but encryption does not
guarantee trust. Thawte believes in rigorous authentication:
Download our FREE Authentication Guide:
http://www.gothawte.com/rd409.html
Book Review: Tracking Hackers by Lance Spitzner is fantastically written.
The detailed definitions and descriptions make it a great book even for
the honeypot novice to understand. It grabs your attention right from the
very beginning, holds it to the end and leaves you wanting more.
http://www.linuxsecurity.com/feature_stories/feature_story-121.html
Concerned about the next threat? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=3Dengarde2
Network Security Audit - "Information for the right people at right time
and from anywhere" has been the driving force for providing access to the
most of the vital information on the network of an organization over the
Internet. This is a simple guide on conducting a network security audit,
This article contains points for conducting an audit.
http://www.linuxsecurity.com/feature_stories/feature_story-120.html
+---------------------------------+
| Package: heatbeat | ----------------------------//
| Date: 10-14-2002 |
+---------------------------------+
Description:
Nathan Wallwork discovered a buffer overflow in heartbeat, a subsystem for
High-Availability Linux. A remote attacker could send a specially crafted
TCP packet that overflows a buffer, leaving heartbeat to execute arbitrary
code as root.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/h/heartbeat/l
directord_0.4.9.0l-7.2_all.deb
Size/MD5 checksum: 33118 27d3073cade1d823e0405755b9b4ebd1
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2443.html
SuSE:
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2447.html
+---------------------------------+
| Package: syslog-ng | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+
Description:
When a macro is expanded a static length buffer is used accompanied by a
counter. However, when constant chharacters are appended, the counter is
not updated properly, leading to incorrect boundary checking. An attacker
may be able to use specially crafted log messages inserted via UDP which
overflows the buffer.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/s/syslog-ng/
syslog-ng_1.4.0rc3-3.2_i386.deb
Size/MD5 checksum: 116240 720bb0fb394521f3c4b9de13ca3455e4
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2450.html
Gentoo:
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2441.html
EnGarde:
i386/syslog-ng-1.4.10-1.0.25.i386.rpm
MD5 Sum: ae0c785a072f4545f6c0abfee9760090
i686/syslog-ng-1.4.10-1.0.25.i686.rpm
MD5 Sum: 4ec459e0b58e99ba043a29c977d18293
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
EnGarde Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2458.html
+---------------------------------+
| Package: gv | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+
Description:
Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer
for X11. This problem is triggered by scanning the PostScript file and
can be exploited by an attacker sending a malformed PostScript or PDF
file. The attacker is able to cause arbitrary code to be run with the
privileges of the victim.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/g/gv/
gv_3.5.8-17.1_i386.deb
Size/MD5 checksum: 226416 4f44d7df45cec7b132c1c7c9a6ba84ea
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2455.html
+---------------------------------+
| Package: heimdal | ----------------------------//
| Date: 10-18-2002 |
+---------------------------------+
Description:
The SuSE Security Team has reviewed critical parts of the Heimdal package
such as the kadmind and kdc server. While doing so several potential
buffer overflows and other bugs have been uncovered and fixed. Remote
attackers can probably gain remote root access on systems without fixes.
Since these services usually run on authentication servers these bugs are
considered very serious.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/h/heimdal/
heimdal-kdc_0.2l-7.4_i386.deb
Size/MD5 checksum: 86940 6d6c03223d9c37acd4ebcbad72a95fa3
http://security.debian.org/pool/updates/main/h/heimdal/
heimdal-servers_0.2l-7.4_i386.deb
Size/MD5 checksum: 171072 db95cb63bfa435c08c1964546c6140fd
http://security.debian.org/pool/updates/main/h/heimdal/
heimdal-servers-x_0.2l-7.4_i386.deb
Size/MD5 checksum: 61838 5053e97991ddd840179d2606e34c1eac
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2460.html
Gentoo:
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2445.html
+---------------------------------+
| Package: unzip | ----------------------------//
| Date: 10-17-2002 |
+---------------------------------+
Description:
A directory traversal vulnerability was discovered in unzip version 5.42
and earlier that allows attackers to overwrite arbitrary files during
extraction of the archive by using a ".." (dot dot) in an extracted
filename, as well as prefixing filenames in the archive with "/" (slash).
Vendor Alerts:
Mandrake Linux:
8.2/RPMS/unzip-5.50-2.1mdk.i586.rpm
33bf02cef205d3b4d4e66c49618a67cf
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2436.html
+---------------------------------+
| Package: tar | ----------------------------//
| Date: 10-11-2002 |
+---------------------------------+
Description:
A directory traversal vulnerability was discovered in GNU tar version
1.13.25 and earlier that allows attackers to overwrite arbitrary files
during extraction of the archive by using a ".." (dot dot) in an extracted
filename.
Vendor Alerts:
Mandrake Linux:
8.0/RPMS/tar-1.13.25-6.2mdk.i586.rpm
af16a2a8baa2102e329a9544e5493ab6
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2437.html
+---------------------------------+
| Package: apache | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+
Description:
A number of vulnerabilities were discovered in Apache versions prior to
1.3.27. The first is regarding the use of shared memory (SHM) in Apache.
An attacker that is able to execute code as the UID of the webserver
(typically "apache") is able to send arbitrary processes a USR1 signal as
root. Using this vulnerability, the attacker can also cause the Apache
process to continously span more children processes, thus causing a local
DoS. Another vulnerability was discovered by Matthew Murphy regarding a
cross site scripting vulnerability in the standard 404 error page.
Finally, some buffer overflows were found in the "ab" benchmark program
that is included with Apache.
Vendor Alerts:
Mandrake Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2454.html
Gentoo:
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2452.html
Trustix:
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2464.html
+---------------------------------+
| Package: squirrelmail | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+
Description:
Cross-site scripting vulnerabilities allow remote attackers to execute
script as other web users via addressbook.php, options.php, search.php, or
help.php. It is possible for remote attackers to determine the absolute
pathname of the options.php script via a malformed optpage file argument,
which generates an error message when the file cannot be included in the
script.
Vendor Alerts:
Red Hat Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2438.html
+---------------------------------+
| Package: dvips | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+
Description:
A vulnerability has been found in dvips which uses the system() function
insecurely when managing fonts.
Vendor Alerts:
Red Hat Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2449.html
+---------------------------------+
| Package: xinetd | ----------------------------//
| Date: 10-14-2002 |
+---------------------------------+
Description:
Versions 2.3.4 through 2.3.7 of Xinetd leak file descriptors for the
signal pipe to services that are launched by xinetd. This could allow an
attacker to execute a DoS attack via the pipe.
Vendor Alerts:
Red Hat Linux:
ftp://updates.redhat.com/7.3/en/os/i386/xinetd-2.3.9-0.73.i386.rpm
ef5508fb220839e60e21840a565972cc
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2453.html
+---------------------------------+
| Package: kernel | ----------------------------//
| Date: 10-14-2002 |
+---------------------------------+
Description:
Updated kernel fixes local security issues and provides several updated
drivers to support newer hardware and fix bugs under Red Hat Linux 7.3.
Vendor Alerts:
Red Hat Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2461.html
Trustix:
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2463.html
+---------------------------------+
| Package: nss_ldap | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+
Description:
When versions of nss_ldap prior to nss_ldap-198 are configured without a
value for the "host" setting, nss_ldap will attempt to configure itself by
using SRV records stored in DNS. When parsing the results of the DNS
query, nss_ldap does not check that the data returned by the server
willfit into an internal buffer, leaving it vulnerable to a buffer
overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2002-0825 to this issue.
Vendor Alerts:
Gentoo Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2446.html
+---------------------------------+
| Package: sendmail | ----------------------------//
| Date: 10-13-2002 |
+---------------------------------+
Description:
It is possible for an attacker to bypass the restrictions imposed by The
Sendmail Consortium's Restricted Shell (SMRSH) and execute a binary of his
choosing by inserting a special character sequence into his .forward file.
Vendor Alerts:
Gentoo Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2448.html
Conectiva:
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2457.html
+---------------------------------+
| Package: tomcat | ----------------------------//
| Date: 10-15-2002 |
+---------------------------------+
Description:
A security vulnerability has been confirmed to exist in Apache Tomcat
4.0.x releases (including Tomcat 4.0.5), which allows to use a specially
crafted URL to return the unprocessed source of a JSP page, or, under
special circumstances, a static resource which would otherwise have been
protected by security constraint, without the need for being properly
authenticated. This is based on a variant of the exploit that was
disclosed on 09/24/2002.
Vendor Alerts:
Gentoo Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2451.html
+---------------------------------+
| Package: fetchmail | ----------------------------//
| Date: 10-16-2002 |
+---------------------------------+
Description:
Stefan Esser discovered[1] two vulnerabilities in fetchmail functions
responsible for parsing message headers. These vulnerabilities are present
in unpatched versions of fetchmail prior to 6.1.0 and can be exploited
only if it is running in "multidrop" mode.
Vendor Alerts:
Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/8/RPMS/
fetchmail-5.9.12-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
fetchmailconf-5.9.12-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
fetchmail-doc-5.9.12-1U80_2cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2456.html
+---------------------------------+
| Package: XFree86 | ----------------------------//
| Date: 10-16-2002 |
+---------------------------------+
Description:
This advisory addresses several vulnerabilities[1] in XFree86-4.0.1 in
Conectiva Linux 6.0 and XFree86-4.0.3 in Conectiva Linux 7.0. Conectiva
Linux 8 was previously updated[2] and already contains these fixes.
Vendor Alerts:
Conectiva Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2459.html
+---------------------------------+
| Package: glibc | ----------------------------//
| Date: 10-16-2002 |
+---------------------------------+
Description:
The glibc package contains standard libraries which are used by multiple
programs on the system. In order to save disk space and memory, as well as
to make upgrading easier, common system code is kept in one place and
shared between programs. This particular package contains the most
important sets of shared libraries: the standard C library and the
standard math library. Without these two libraries, a Linux system will
not function. The glibc package also contains national language (locale)
support and timezone databases.
Vendor Alerts:
Trustix Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2465.html
+---------------------------------+
| Package: postgresql | ----------------------------//
| Date: 10-17-2002 |
+---------------------------------+
Description:
Patched to fix the lacking of several integer checks in the code, and the
existance of several buffer overflow issues.
Vendor Alerts:
Trustix Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2466.html
+---------------------------------+
| Package: python | ----------------------------//
| Date: 10-17-2002 |
+---------------------------------+
Description:
Zack Weinberg discovered an insecure use of a temporary file in
os._execvpe from os.py. The mpelementation uses a predictable name which
could lead to execution of arbitrary code.
Vendor Alerts:
Trustix Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2468.html
+---------------------------------+
| Package: ppp | ----------------------------//
| Date: 10-17-2002 |
+---------------------------------+
Description:
Gerald Dachs found a problem in the /etc/pam.d configuration file, and his
fix has been implemented in the TSL 1.5 package.
Vendor Alerts:
Trustix Linux:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2469.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
