+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | October 25th, 2002 Volume 3, Number 43a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilitiaes that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for webalizer, ethereal, ggv, mod-ssl, tetex, NetBSD kernel, heimdal, groff, new, Linux kernel, unzip, xinetd, php, nss_ldap, gaim, fetchmail, glibc, apache, xfree, zope, ypserv, postgresql, and kdegraphics. The vendors include Caldera, Debian, EnGarde, Gentoo, Mandrake, NetBSD, Red Hat, SuSE, and Yellow Dog. ** FREE SSL Guide from Thawte ** Are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. --> http://www.gothawte.com/rd410.html FEATURE: Designing Shellcode Demystified This paper is about the fundamentals of shellcode design and totally Linux 2.2 on IA-32 specific architectures. The base principles apply to all architectures, whereas the details might obviously not. http://www.linuxsecurity.com/feature_stories/feature_story-122.html Concerned about the next threat? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 +---------------------------------+ | Package: webalizer | ----------------------------// | Date: 10-22-2002 | +---------------------------------+ Description: The webalizer program will perform reverse DNS lookups. Using a buffer overflow in this reverse lookup code, an attacker with a rogue DNS server can gain root access to the machine running webalizer. Vendor Alerts: Caldera: ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/ CSSA-2002-036.0/RPMS/webalizer-2.01_09-2.i386.rpm 258245a154ba0b220b56cde31b2e3c7d Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2496.html +---------------------------------+ | Package: ethereal | ----------------------------// | Date: 10-22-2002 | +---------------------------------+ Description: SMB dissector in Ethereal 0.9.3 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause Ethereal to dereference a NULL pointer. Vendor Alerts: Caldera: ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/ CSSA-2002-036.0/RPMS/ethereal-0.9.4-1.i386.rpm 258245a154ba0b220b56cde31b2e3c7d Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2496.html Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2486.html +---------------------------------+ | Package: ggv | ----------------------------// | Date: 10-22-2002 | +---------------------------------+ Description: Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer for X11. The same code is present in gnome-gv. This problem is triggered by scanning the PostScript file and can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker is able to cause arbitrary code to be run with the privileges of the victim. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/g/gnome-gv/ gnome-gv_0.82-2.1_i386.deb Size/MD5 checksum: 131118 7d2712b05b78e757568efabee83c9bc0 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2472.html Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2493.html Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2470.html Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2483.html +---------------------------------+ | Package: nis | ----------------------------// | Date: 10-21-2002 | +---------------------------------+ Description: Thorsten Kukuck discovered a problem in the ypserv program which is part of the Network Information Services (NIS). A memory leak in all versions of ypserv prior to 2.5 is remotely exploitable. When a malicious user could request a non-existing map the server will leak parts of an old domainname and mapname. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/n/nis/ nis_3.8-2.1_i386.deb Size/MD5 checksum: 165064 bae6f9b96c61c2dea0f23acb96795e3a Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2476.html +---------------------------------+ | Package: mod-ssl | ----------------------------// | Date: 10-21-2002 | +---------------------------------+ Description: Joe Orton discovered a cross site scripting problem in mod_ssl, an Apache module that adds Strong cryptography (i.e. HTTPS support) to the webserver. The module will return the server name unescaped in the response to an HTTP request on an SSL port. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/ libapache-mod-ssl_2.4.10-1.3.9-1potato4_i386.deb Size/MD5 checksum: 199266 6c89113c7cf5d0e82c436fe967c7b2f3 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2492.html Mandrake: Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2503.html +---------------------------------+ | Package: tetex | ----------------------------// | Date: 10-23-2002 | +---------------------------------+ Description: A vulnerability was discovered in dvips by Olaf Kirch that would allow remote users with access to the printer to execute commands as the lp user through sending special print jobs to the printer. Vendor Alerts: Mandrake: PLEASE SEE VENDOR ADVISORY FOR UPDATE Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2495.html Gentoo: Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2473.html Yellow Dog: Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2480.html +---------------------------------+ | Package: kdegraphics | ----------------------------// | Date: 10-24-2002 | +---------------------------------+ Description: A vulnerability exists in KGhostview, part of the kdegraphics package. It includes a DSC 3.0 parser from GSview then is vulnerable to a buffer overflow while parsing a specially crafted .ps file. It also contains code from gv which is vulnerable to a similar buffer overflow triggered by malformed PostScript and PDF files. This has been fixed in KDE 3.0.4 and patches have been applied to correct these packages. Vendor Alerts: Mandrake: 8.2/RPMS/kdegraphics-2.2.2-15.1mdk.i586.rpm d96f35aa8104d6cfe342a7eec7547a77 8.2/RPMS/kdegraphics-devel-2.2.2-15.1mdk.i586.rpm 4b4649c446fd2651902c01381f96b9d9 Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2502.html +---------------------------------+ | Package: NetBSD kernel | ----------------------------// | Date: 10-23-2002 | +---------------------------------+ Description: The KAME-based IPsec implementation included in NetBSD was missing some packet length checks, and could be tricked into passing negative value as buffer length. By transmiting a specially-formed (very short) ESP packet, a malicious sender can cause a cause kernel pan icon the victim node. Vendor Alerts: NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2490.html +---------------------------------+ | Package: heimdal | ----------------------------// | Date: 10-21-2002 | +---------------------------------+ Description: All versions prior to Heimdal 0.5.1 and 0.4enb1 are vulnerable. NetBSD 1.5, 1.6, and -current (prior to October 21, 2002) ship with a vulnerable version. The problem is a buffer overflow in the kerberos version 4 compatibility layer of kadmind. Vendor Alerts: NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2491.html +---------------------------------+ | Package: groff | ----------------------------// | Date: 10-19-2002 | +---------------------------------+ Description: The groff preprocessor contains an exploitable buffer overflow. If groff can be invoked within the LPRng printing system, an attacker can gain rights as the "lp" user. Remote exploitation may be possible if lpd is running and is accessible remotely, and the attacker knows the name of the printer and spoolfile. Vendor Alerts: Gentoo: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2474.html +---------------------------------+ | Package: kernel | ----------------------------// | Date: 10-19-2002 | +---------------------------------+ Description: There are several potentially exploitable local vulnerabilities in the Linux kernel. During a code audit several sign handling, math overflow, and other vulnerabilities were fixed. These fixes were made in 2.2.22-rc1 and have been backported to our kernel. Vendor Alerts: EnGarde: PLEASE SEE VENDOR ADVISORY FOR UPDATE EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2477.html +---------------------------------+ | Package: unzip | ----------------------------// | Date: 10-20-2002 | +---------------------------------+ Description: "The unzip and tar utilities contain vulnerabilities which can allow arbitrary files to be overwritten during archive extraction. The unzip and tar utilities are used for manipulating archives, which are multiple files stored inside of a single file. Vendor Alerts: Yellow Dog: ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/ ppc/tar-2.3.9-0.73.3a.ppc.rpm 1de42ffa96d6bdf268da5fc0fdb7c848 ppc/unzip-5.50-2.ppc.rpm 779b7bf8aa001663666675c56a432287 Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2478.html +---------------------------------+ | Package: xinetd | ----------------------------// | Date: 10-20-2002 | +---------------------------------+ Description: Versions 2.3.4 through 2.3.7 of Xinetd leak file descriptors for the signal pipe to services that are launched by xinetd. This could allow an attacker to execute a DoS attack via the pipe. All users are advised to upgrade to the errata packages containing xinetd version 2.3.9 which is not vulnerable to this issue. Vendor Alerts: Yellow Dog: ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/ ppc/xinetd-2.3.9-0.73.3a.ppc.rpm 218b1aa59c80092225f9d14eaf75676e Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2479.html +---------------------------------+ | Package: php | ----------------------------// | Date: 10-20-2002 | +---------------------------------+ Description: PHP is an HTML-embedded scripting language commonly used with Apache. PHP versions 4.0.5 through 4.1.0 in safe mode do not properly cleanse the 5th parameter to the mail() function. This vulnerability allows local users and possibly remote attackers to execute arbitrary commands via shell metacharacters. Vendor Alerts: Yellow Dog: PLEASE SEE VENDOR ADVISORY FOR UPDATE Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2481.html +---------------------------------+ | Package: nss_ldap | ----------------------------// | Date: 10-20-2002 | +---------------------------------+ Description: Versions of pam_ldap prior to version 144 include a format string bug in the logging function. The packages included in this erratum update pam_ldap to version 144, fixing this bug. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0374 to this issue. Vendor Alerts: Yellow Dog: PLEASE SEE VENDOR ADVISORY FOR UPDATE YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2482.html +---------------------------------+ | Package: gaim | ----------------------------// | Date: 10-20-2002 | +---------------------------------+ Description: Versions of gaim prior to 0.59.1 contain a bug in the URL handler of the manual browser option. A link can be carefully crafted to contain an arbitrary shell script which will be executed if the user clicks on the link. Vendor Alerts: Yellow Dog: PLEASE SEE VENDOR ADVISORY FOR UPDATE Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2484.html +---------------------------------+ | Package: fetchmail | ----------------------------// | Date: 10-20-2002 | +---------------------------------+ Description: The first bug allows a remote attacker to crash Fetchmail by sending a carefully crafted DNS packet. The second bug allows a remote attacker to carefully craft an email in such a way that when it is parsed by Fetchmail a heap overflow occurs, allowing remote arbitrary code execution. Vendor Alerts: Yellow Dog: PLEASE SEE VENDOR ADVISORY FOR UPDATE Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2485.html +---------------------------------+ | Package: glibc | ----------------------------// | Date: 10-20-2002 | +---------------------------------+ Description: A read buffer overflow vulnerability exists in the glibc resolver code in versions of glibc up to and including 2.2.5. The vulnerability is triggered by DNS packets larger than 1024 bytes and can cause applications to crash. Vendor Alerts: Yellow Dog: PLEASE SEE VENDOR ADVISORY FOR UPDATE Yellow Dog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2487.html +---------------------------------+ | Package: apache | ----------------------------// | Date: 10-20-2002 | +---------------------------------+ Description: Please check whether you are affected by running "/bin/rpm -q apache". If you have an affected version of the "apache" package (see above), upgrade it according to the solution below. Remember to also rebuild and reinstall any dependent OpenPKG packages. Vendor Alerts: Yellow Dog: PLEASE SEE VENDOR ADVISORY FOR UPDATE YellowDog Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2494.html +---------------------------------+ | Package: xfree | ----------------------------// | Date: 10-24-2002 | +---------------------------------+ Description: Roberto Zunino discovered a vulnerability in the MIT-SHM extension of XFree86 prior to versions 4.2.1. The vulnerability allows a local user who can run XFree86 to gain read/write access to any shared memory segment in the system. Although the use of shared memory segments to store trusted data is not a common practice, by exploiting this vulnerability the attacker potentially can get and/or change sensitive information. Vendor Alerts: Gentoo: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2499.html +---------------------------------+ | Package: zope | ----------------------------// | Date: 10-24-2002 | +---------------------------------+ Description: Zope (www.zope.org) will reveal the complete physical location where the server and its components are installed if it receives "incorrect" XML-RPC requests. In some cases it will reveal also information about the serves in the protected LAN (10.x.x.x for example) on which current server is relaying. Vendor Alerts: Gentoo: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2500.html +---------------------------------+ | Package: ypserv | ----------------------------// | Date: 10-24-2002 | +---------------------------------+ Description: ypserv is an NIS authentication server. ypserv versions before 2.5 contain a memory leak that can be triggered remotely. Vendor Alerts: Red Hat: PLEASE SEE VENDOR ADVISORY FOR UPDATE Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2497.html +---------------------------------+ | Package: postgresql | ----------------------------// | Date: 10-21-2002 | +---------------------------------+ Description: The PostgreSQL Object-Relational DBMS was found vulnerable to several security related buffer overflow problems. Vendor Alerts: SuSE: PLEASE SEE VENDOR ADVISORY FOR UPDATE SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2475.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------