+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| November 8th, 2002 Volume 3, Number 45a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for log2mail, apache, luxman, wmaker,
squirrelmail, IPFilter, perl-MailTools, glibc, kerberos, heartbeat, dvips,
krb5, gv, tar/unzip, ypserv, and linuxconf. The distributors include
Conectiva, Debian, Gentoo, NetBSD, Red Hat, and SuSE.
Concerned about the next threat? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
FEATURE: Security - Physical and Service
The first installation of a 3 part article covering everything from
physical security and service security to LAMP security (Linux Apache
MySQL PHP).
http://www.linuxsecurity.com/feature_stories/feature_story-128.html
FEATURE: Remote Syslogging - A Primer
The syslog daemon is a very versatile tool that should never be overlooked
under any circumstances. The facility itself provides a wealth of
information regarding the local system that it monitors.
http://www.linuxsecurity.com/feature_stories/feature_story-123.html
+---------------------------------+
| Package: log2mail | ----------------------------//
| Date: 11-05-2002 |
+---------------------------------+
Description:
Enrico Zini discovered a buffer overflow in log2mail, a daemon for
watching logfiles and sending lines with matching patterns via mail.
The log2mail daemon is started upon system boot and runs as root. A
specially crafted (remote) log message could overflow a static
buffer, potentially leaving log2mail to execute arbitrary code as
root.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/l/log2mail/
log2mail_0.2.5.1_i386.deb
Size/MD5 checksum: 38532 ca7b3f97063ee1de06eb2ec97c3c4f52
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2525.html
+---------------------------------+
| Package: apache | ----------------------------//
| Date: 11-04-2002 |
+---------------------------------+
Description:
According to David Wagner, iDEFENSE and the Apache HTTP Server Project,
several remotely exploitable vulnerabilities have been found in the Apache
package, a commonly used webserver. These vulnerabilities could allow an
attacker to enact a denial of service against a server or execute a cross
scripting attack.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/a/apache/
apache_1.3.9-14.3_i386.deb
Size/MD5 checksum: 359946 aae786f44f00d4c62b09ccd33fbef609
http://security.debian.org/pool/updates/main/a/apache/
apache-common_1.3.9-14.3_i386.deb
Size/MD5 checksum: 718786 33046433f742f4bf5628d82afad4c18e
http://security.debian.org/pool/updates/main/a/apache/
apache-dev_1.3.9-14.3_i386.deb
Size/MD5 checksum: 548902 86fd170a541de8c70d5abff2fca8d544
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2526.html
Debian Vendor Advisory: (apache-ssl)
http://www.linuxsecurity.com/advisories/debian_advisory-2527.html
Conectiva:
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2531.html
+---------------------------------+
| Package: luxman | ----------------------------//
| Date: 11-06-2002 |
+---------------------------------+
Description:
iDEFENSE reported about a vulnerability in LuxMan, a maze game for
GNU/Linux, similar to the PacMan arcade game. When successfully exploited
it a local attacker with read write access to the Memory, leading to a
local root compromise in many ways, examples of which include scanning the
file for fragments of the master password file and modifying kernel memory
to re-map system calls.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/l/
luxman/luxman_0.41-17.1_i386.deb
Size/MD5 checksum: 290680 e9aa37d421068e828307ef5c816ad72d
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2538.html
+---------------------------------+
| Package: wmaker | ----------------------------//
| Date: 11-07-2002 |
+---------------------------------+
Description:
iDEFENSE reported about a vulnerability in LuxMan, a maze game for
GNU/Linux, similar to the PacMan arcade game. When successfully exploited
it a local attacker with read write access to the Memory, leading to a
local root compromise in many ways, examples of which include scanning the
file for fragments of the master password file and modifying kernel memory
to re-map system calls.
Vendor Alerts:
Debian:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2541.html
+---------------------------------+
| Package: squirrelmail | ----------------------------//
| Date: 11-07-2002 |
+---------------------------------+
Description:
Several cross site scripting vulnerabilities have been found in
squirrelmail, a feature-rich webmail package written in PHP4.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/s/
squirrelmail/squirrelmail_1.2.6-1.1_all.deb
Size/MD5 checksum: 1839498 9e9c7ff1f5b42aaea021af563b76deaa
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2543.html
+---------------------------------+
| Package: IPFilter (FTP) | ----------------------------//
| Date: 11-05-2002 |
+---------------------------------+
Description:
FTP proxy module in IPFilter package may not adequately maintain the state
of FTP commands and responses. As a result, an attacker could establish
arbitrary TCP connections to FTP servers or clients located behind a
vulnerable firewall.
Vendor Alerts:
NetBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-2528.html
+---------------------------------+
| Package: perl-MailTools | ----------------------------//
| Date: 11-05-2002 |
+---------------------------------+
Description:
This package contains a security hole which allows remote attackers to
execute arbitrary commands in certain circumstances. This is due to the
usage of mailx as default mailer which allows commands to be embedded in
the mail body.
Vendor Alerts:
SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/
perl-MailTools-1.47-29.i586.rpm
d41d8cd98f00b204e9800998ecf8427e
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2529.html
Gentoo:
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2530.html
+---------------------------------+
| Package: glibc | ----------------------------//
| Date: 11-07-2002 |
+---------------------------------+
Description:
A read buffer overflow vulnerability exists in the glibc resolver code in
versions of glibc up to and including 2.2.5. The vulnerability is
triggered by DNS packets larger than 1024 bytes and can cause applications
to crash.
Vendor Alerts:
Red Hat:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2542.html
Conectiva:
Contectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2537.html
+---------------------------------+
| Package: kerberos | ----------------------------//
| Date: 11-07-2002 |
+---------------------------------+
Description:
A remotely exploitable stack buffer overflow has been found in the
Kerberos v4 compatibility administration daemon distributed with the Red
Hat Linux krb5 packages.
Vendor Alerts:
Red Hat:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2544.html
+---------------------------------+
| Package: heartbeat | ----------------------------//
| Date: 11-03-2002 |
+---------------------------------+
Description:
Nathan Wallwork reported several format string vulnerabilities[2] in
heartbeat that could possibly be used by a remote attacker to execute
arbitrary code with root privileges.
Vendor Alerts:
Conectiva:
ftp://atualizacoes.conectiva.com.br/8/RPMS/
heartbeat-0.4.9.1-2U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
heartbeat-ldirectord-0.4.9.1-2U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
heartbeat-stonith-0.4.9.1-2U80_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2532.html
+---------------------------------+
| Package: dvips | ----------------------------//
| Date: 11-03-2002 |
+---------------------------------+
Description:
Olaf Kirch from SuSE discovered a vulnerability in the dvips utility,
which is used to convert .dvi files to PostScript. dvips is calling the
system() function in an insecure way when handling font names. An attacker
can exploit this by creating a carefully crafted dvi file which, when
opened by dvips, will cause the execution of arbitrary commands.
Vendor Alerts:
Conectiva:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2533.html
+---------------------------------+
| Package: krb5 | ----------------------------//
| Date: 11-07-2002 |
+---------------------------------+
Description:
There is a buffer overflow vulnerability[2][3] in the Kerberos 4 remote
administration service (kadmind4) that could be used by a remote attacker
to execute arbitrary commands on the server with root privileges.
Vendor Alerts:
Conectiva:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2534.html
+---------------------------------+
| Package: gv | ----------------------------//
| Date: 11-07-2002 |
+---------------------------------+
Description:
Zen Parse found[1] a buffer overflow vulnerability in gv version 3.5.8 and
earlier. kghostview (from kdegraphics versions prior to 3.0.4) is also
affected, since it has some code derived from the same project. An
attacker can exploit this vulnerability by creating a carefully crafted
pdf file that, when opened by gv or kghostview, causes the execution of
arbitrary code.
Vendor Alerts:
Conectiva:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2535.html
+---------------------------------+
| Package: tar/unzip | ----------------------------//
| Date: 11-07-2002 |
+---------------------------------+
Description:
Both tar and unzip have directory transversal vulnerabilities in the way
they extract filenames containning ".." or "/" characteres at the
beginning. By exploiting these vulnerabilities, a malicious user can
overwrite arbitrary files if the user unpacking such an archive has
sufficient filesystem permissions to do so.
Vendor Alerts:
Conectiva:
ftp://atualizacoes.conectiva.com.br/8/RPMS/
tar-1.13.25-2U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/
unzip-5.50-1U80_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2536.html
+---------------------------------+
| Package: ypserv | ----------------------------//
| Date: 11-07-2002 |
+---------------------------------+
Description:
Thorsten Kukuk identified and fixed a memory leak vulnerability[2] in the
ypserv daemon. Requests for non-existing maps would cause the ypserv
daemon to consume more and more memory. An attacker in the local network
could flood the service with such requests until the memory is exhausted,
characterizing a DoS condition.
Vendor Alerts:
Conectiva:
ftp://atualizacoes.conectiva.com.br/8/RPMS/
ypserv-1.3.12-4U80_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2539.html
+---------------------------------+
| Package: linuxconf | ----------------------------//
| Date: 11-06-2002 |
+---------------------------------+
Description:
There is a problem[1] in the sendmail.cf file generated by the mailconf
module that allows sendmail to be used as an open relay. By exploiting
this vulnerability, a malicious user could send SPAM through the sendmail
server without being in its served network. In order to do that, the
recipient address of the messages must be in the format "user%domain@".
Vendor Alerts:
Conectiva:
ftp://atualizacoes.conectiva.com.br/8/RPMS/
linuxconf-mailconf-1.25r3-39U80_1cl.i386.rpm
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-2540.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
