+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | November 15th, 2002 Volume 3, Number 46a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilitiaes that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for PXE, libpng, python, html2ps, kdenetwork, masqmail, apache-perl, bind, kadmind, smrsh, resolver, perl-MailTools, nss_ldap, php, traceroute, kpgp, apache, kdelibs, and syslog-ng. The distributors include Caldera, Debian, Guardian Digital's EnGarde Secure Linux, FreeBSD, Gentoo, Red Hat, and SuSE. Concerned about the next threat? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 FEATURE: Security: Physical and Service (1 of 3) - The first installation of a 3 part article covering everything from physical security and service security to LAMP security (Linux Apache MySQL PHP). http://www.linuxsecurity.com/feature_stories/feature_story-128.html FEATURE: Security: Apache (2 of 3) - This is the second installation of a 3 part article on LAMP (Linux Apache MySQL PHP). Apache is the most widely used HTTP-server in the world today. http://www.linuxsecurity.com/feature_stories/feature_story-129.html +---------------------------------+ | Package: PXE | ----------------------------// | Date: 11-11-2002 | +---------------------------------+ Description: The PXE server can be crashed by using corrupt DHCP packets. This bug could be used to cause a denial-of-service attack. Vendor Alerts: Caldera: ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/ Server/CSSA-2002-044.0/RPMS pxe-0.1-33.i386.rpm 75380c0629500bcb6ac3185fd7f68cf9 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2551.html +---------------------------------+ | Package: libpng | ----------------------------// | Date: 11-12-2002 | +---------------------------------+ Description: There are two buffer overflow vulnerabilities in the libpng code:one of which can allow attackers to cause a denial of service, and the other that can cause a denial of service with the possibility of executing arbitrary code. Vendor Alerts: Caldera: PLEASE SEE VENDOR ADVISORY FOR UPDATE Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2558.html +---------------------------------+ | Package: python | ----------------------------// | Date: 11-14-2002 | +---------------------------------+ Description: os._execvpe from os.py in Python creates temporary files with predictable names, which could allow local users to execute arbitrary code via a symlink attack. Vendor Alerts: Caldera: ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/ Server/CSSA-2002-045.0/RPMS python-1.5.2-23.i386.rpm d02a87d515a2e0295b61a70e21d85d67 python-devel-1.5.2-23.i386.rpm f026986740ce3b24aa75a6ef6d6f813d python-docs-1.5.2-23.i386.rpm a4d8a3a8a6011f4d87d1a3c3e75150d1 python-tools-1.5.2-23.i386.rpm 6283c3abfb5a339d6f3c8e1b2b0304fc Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2573.html +---------------------------------+ | Package: html2ps | ----------------------------// | Date: 11-08-2002 | +---------------------------------+ Description: The SuSE Security Team found a vulnerability in html2ps, a HTML to PostScript converter, that opened files based on unsanitized input insecurely. This problem can be exploited when html2ps is installed as filter within lrpng and the attacker has previously gained access to the lp account. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/h/html2ps/ html2ps_1.0b1-8.1_all.deb Size/MD5 checksum: 134728 5932b4a4d5942c839b1a65817becf641 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2545.html +---------------------------------+ | Package: kdenetwork | ----------------------------// | Date: 11-11-2002 | +---------------------------------+ Description: It is possible for a local attacker to exploit a buffer overflow condition in resLISa, a restricted version of KLISa. The vulnerability exists in the parsing of the LOGNAME environment variable, an overly long value will overwrite the instruction pointer thereby allowing an attacker to seize control of the executable. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/k/ kdenetwork/klisa_2.2.2-14.2_i386.deb Size/MD5 checksum: 150248 447ca978df2eabe8971f0106d75dd5df Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2549.html SuSE: SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2553.html +---------------------------------+ | Package: masqmail | ----------------------------// | Date: 11-12-2002 | +---------------------------------+ Description: A set of buffer overflows have been discovered in masqmail, a mail transport agent for hosts without permanent internet connection. In addition to this privileges were dropped only after reading a user supplied configuration file. Together this could be exploited to gain unauthorized root access to the machine on which masqmail is installed. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/m/ masqmail/masqmail_0.1.16-2.1_i386.deb Size/MD5 checksum: 88358 586f60f60d81dc17379df547f5796f8a Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2555.html +---------------------------------+ | Package: apache-perl | ----------------------------// | Date: 11-13-2002 | +---------------------------------+ Description: These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross site scripting attack, or steal cookies from other web site users. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/a/apache-perl/ apache-perl_1.3.9-14.1-1.21.20000309-1.1_i386.deb Size/MD5 checksum: 956320 da48dac81fbc5f66e7f9f350c2eb90bb Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2563.html +---------------------------------+ | Package: bind | ----------------------------// | Date: 11-14-2002 | +---------------------------------+ Description: A buffer overflow in BIND 8 versions 8.3.3 and earlier allows a remote attacker to execute arbitrary code via a certain DNS server response containing SIG resource records (RR). This buffer overflow can be exploited to obtain access to the victim host under the account the named process is running with, usually root. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/b/bind/ dnsutils_8.2.3-0.potato.3_i386.deb Size/MD5 checksum: 340444 31b08eaeb38c0df2ed1cb6cb6fa3f5de http://security.debian.org/pool/updates/main/b/bind/ bind_8.2.3-0.potato.3_i386.deb Size/MD5 checksum: 572016 540d025d851c207596f02f293d32dbca http://security.debian.org/pool/updates/main/b/bind/ bind-dev_8.2.3-0.potato.3_i386.deb Size/MD5 checksum: 309622 476724d25b348bdfa3f314bf8777e05a Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2569.html FreeBSD: FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2566.html Mandrake: Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2572.html Red Hat: Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2559.html SuSE: SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2568.html EnGarde: EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2564.html Conectiva: Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2570.html +---------------------------------+ | Package: kadmind | ----------------------------// | Date: 11-14-2002 | +---------------------------------+ Description: A remote attacker may send a specially formatted request to k5admind or kadmind, triggering the stack buffer overflow and potentially causing the administrative server to execute arbitrary code as root on the KDC. The attacker need not be authenticated in order to trigger the bug. Compromise of the KDC has an especially large impact, as theft of the Kerberos database could allow an attacker to impersonate any Kerberos principal in the realm(s) present in the database. Vendor Alerts: FreeBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2560.html +---------------------------------+ | Package: smrsh | ----------------------------// | Date: 11-11-2002 | +---------------------------------+ Description: Users with a local account and the ability to create or modify their `.forward' files can circumvent the smrsh restrictions. This is mostly of consequence to systems which have local users that are not normally allowed access to a login shell, as such users may abuse this bug in order to execute arbitrary commands with normal privileges. Vendor Alerts: FreeBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2561.html +---------------------------------+ | Package: resolver | ----------------------------// | Date: 11-12-2002 | +---------------------------------+ Description: A malicious attacker could spoof DNS queries with specially crafted responses that will not fit in the supplied buffer. This might cause some applications to fail (denial-of-service). Vendor Alerts: FreeBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2562.html +---------------------------------+ | Package: perl-MailTools | ----------------------------// | Date: 11-13-2002 | +---------------------------------+ Description: A vulnerability was discovered in Mail::Mailer perl module by the SuSE security team during an audit. The vulnerability allows remote attackers to execute arbitrary commands in certain circumstances due to the usage of mailx as the default mailer, a program that allows commands to be embedded in the mail body. Vendor Alerts: Mandrake: 9.0/RPMS/perl-MailTools-1.47-1.1mdk.noarch.rpm 4fbfa7cc821ce3e785fb2449eb58afb8 http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2546.html +---------------------------------+ | Package: nss_ldap | ----------------------------// | Date: 11-07-2002 | +---------------------------------+ Description: A buffer overflow vulnerability exists in nss_ldap versions prior to 198. When nss_ldap is configured without a value for the "host" keyword, it attempts to configure itself using SRV records stored in DNS. nss_ldap does not check that the data returned by the DNS query will fit into an internal buffer, thus exposing it to an overflow. Vendor Alerts: Mandrake: 9.0/RPMS/nss_ldap-202-1.1mdk.i586.rpm da577902f504bf8f345446635fcc3cf7 9.0/RPMS/pam_ldap-156-1.1mdk.i586.rpm b70c25f7b8a3b5f86149dd199003a4ff http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2546.html +---------------------------------+ | Package: php | ----------------------------// | Date: 11-11-2002 | +---------------------------------+ Description: PHP versions up to and including 4.2.2 contain vulnerabilities in the mail() function allowing local script authors to bypass safe mode restrictions and possibly allowing remote attackers to insert arbitrary mail headers and content into the message. Vendor Alerts: Red Hat: PLEASE SEE VENDOR ADVISORY FOR UPDATE Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2550.html Conectiva: Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2565.html +---------------------------------+ | Package: traceroute | ----------------------------// | Date: 11-12-2002 | +---------------------------------+ Description: Traceroute-nanog requires root privilege to open a raw socket. It does not relinquish these privileges after doing so. This allows a malicious user to gain root access by exploiting a buffer overflow at a later point. Vendor Alerts: SuSE: ftp://ftp.suse.com/pub/suse/i386/update/ 8.0/n1/traceroute-6.1.1-0.i386.rpm afe01bf0b151eca2f42fa5737c99bdc7 SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2554.html +---------------------------------+ | Package: kgpg | ----------------------------// | Date: 11-10-2002 | +---------------------------------+ Description: A bug in Kgpg's key generation affects all secret keys generated through Kgpg's wizard. (Bug does not affect keys created in console/expert mode). All keys created through the wizard have an empty passphrase, which means that if someone has access to your computer and can read your secret key, he/she can decrypt your files whitout the need of a passphrase. Vendor Alerts: Gentoo: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2548.html +---------------------------------+ | Package: apache | ----------------------------// | Date: 11-11-2002 | +---------------------------------+ Description: A vulnerability exists in the SSI error pages of Apache 2.0 that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host. Vendor Alerts: Gentoo: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2552.html +---------------------------------+ | Package: kdelibs | ----------------------------// | Date: 11-11-2002 | +---------------------------------+ Description: The vulnerability potentially enables local or remote attackers to compromise a victim's account and execute arbitrary commands on the local system with the victim's privileges, such as erasing files, accessing data or installing trojans. Vendor Alerts: Gentoo: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2567.html +---------------------------------+ | Package: syslog-ng | ----------------------------// | Date: 11-14-2002 | +---------------------------------+ Description: When dealing with this expansion, syslog-ng fails to account for characters which are not part of the macro, which leads to incorrect bounds checking and a possible buffer overflow if there are enough non-macro characters being used. Vendor Alerts: Conectiva: PLEASE SEE VENDOR ADVISORY FOR UPDATE Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2571.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------