Linux Advisory Watch - February 28th 2003

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  February 28th, 2002                       Volume 4, Number 9a |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                Benjamin Thomas
               dave@linuxsecurity.com     ben@linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for slocate, nanog, tcpdump, kde,
openssl, WebTool, syncookie, webmin, acupsd, tightvnc, vnc, vte,
hypermail, libmcrypt, openldap, mysql, postgresql, initscripts, krb5,
lynx, and shadow-utils.  The distributors include Conectiva, Debian,
Guardian Digital's EnGarde Secure Linux, Gentoo, Mandrake, Red Hat, SuSE,
and Trustix.


 #### Concerned about the next threat?  ####
 #### EnGarde is the undisputed winner! ####

 Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
 Editor's Choice Award, EnGarde "walked away with our Editor's Choice
 award thanks to the depth of its security strategy..." Find out what the
 other Linux vendors are not telling you.

http://store.guardiandigital.com/html/eng/products/software/esp_overview.shtml


Remote Syslog with MySQL and PHP
Msyslog has the ability to log syslog messages to a database. This allows
for easier monitoring of multiple servers and the ability to be display
and search for syslog messages using PHP or any other programming language
that can communicate with the database.by that, too.

http://www.linuxsecurity.com/feature_stories/feature_story-138.html


Review: Mastering Network Security, Second Edition - The introduction
states that this book is aimed at systems administrators who are not
security experts, but have some responsibility for ensuring the integrity
of their systems. That would seem to cover most sysadmins.

http://www.linuxsecurity.com/feature_stories/feature_story-137.html


+---------------------------------+
|  Package:  slocate              | ----------------------------//
|  Date: 02-21-2003               |
+---------------------------------+


Description:
A problem has been discovered in slocate, a secure locate replacement. A
buffer overflow in the setuid program slocate can be used to execute
arbitrary code as superuser.

Vendor Alerts:

 Debian:
 http://security.debian.org/pool/updates/main/s/
 slocate/slocate_2.6-1.3.1_i386.deb
 Size/MD5 checksum:    24788 9c9121191ee8ce7321bda76b3bb0c8fa

 Debian Vendor Advisory:
 http://www.linuxsecurity.com/advisories/debian_advisory-2880.html


+---------------------------------+
|  Package:  nanog                | ----------------------------//
|  Date: 02-27-2003               |
+---------------------------------+

Description:
A vulnerability has been discovered in NANOG traceroute, an enhanced
version of the Van Jacobson/BSD traceroute program.  A buffer overflow
occurs in the 'get_origin()' function.  Due to insufficient bounds
checking performed by the whois parser, it may be possible to corrupt
memory on the system stack.  This vulnerability can be exploited by a
remote attacker to gain root privileges on a target host.  Though, most
probably not in Debian.

Vendor Alerts:

 Debian:
 http://security.debian.org/pool/updates/main/t/traceroute-nanog/
 traceroute-nanog_6.0-2.2_i386.deb
 Size/MD5 checksum:    18588 78445b5c9cbef332d14f22e40dce094b

 Debian Vendor Advisory:
 http://www.linuxsecurity.com/advisories/debian_advisory-2906.html



+---------------------------------+
|  Package:  tcpdump              | ----------------------------//
|  Date: 02-27-2003               |
+---------------------------------+

Description:
Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a
powerful tool for network monitoring and data acquisition.  An attacker is
able to send a specially crafted network packet which causes tcpdump to
enter an infinite loop.

Vendor Alerts:

 Debian:
  http://security.debian.org/pool/updates/main/t/
  tcpdump/tcpdump_3.6.2-2.3_i386.deb
  Size/MD5 checksum:   169482 2e6aadf125c8e7bbde3d0dd162201480

  Debian Vendor Advisory:
  http://www.linuxsecurity.com/advisories/debian_advisory-2909.html



+---------------------------------+
|  Package:  kde                  | ----------------------------//
|  Date: 02-20-2003               |
+---------------------------------+

Description:
This is a full update of the KDE desktop to the 3.0.5a version, the latest
3.0.x release from the KDE project[1]. Besides containing several bugfixes
and enhancements, this update also fixes several security
vulnerabilities[2] found during an internal code audit organized by the
KDE team.

Vendor Alerts:

 Conectiva:
  PLEASE SEE VENDOR ADVISORY FOR UPDATE

  Conectiva Vendor Advisory:
  http://www.linuxsecurity.com/advisories/connectiva_advisory-2879.html




+---------------------------------+
|  Package:  openssl              | ----------------------------//
|  Date: 02-21-2003               |
+---------------------------------+

Description:
Vulnerable[2][3] openssl versions do not perform a MAC computation if an
incorrect block cipher padding is used. An active attacker who can insert
data into an existing encrypted connection is then able to measure time
differences between the error messages the server sends. This information
can make it easier to launch cryptographic attacks that rely on
distinguishing between padding and MAC verification errors, possibly
leading to extraction of the original plaintext.

Vendor Alerts:
 PLEASE SEE VENDOR ADVISORY FOR UPDATE

 Conectiva Vendor Advisory:
 http://www.linuxsecurity.com/advisories/connectiva_advisory-2893.html


 Debian Vendor Advisory:
 http://www.linuxsecurity.com/advisories/debian_advisory-2887.html

 FreeBSD Vendor Advisory:
 http://www.linuxsecurity.com/advisories/freebsd_advisory-2903.html

 SuSE Vendor Advisory:
 http://www.linuxsecurity.com/advisories/suse_advisory-2904.html

 Trustix Vendor Advisory:
 http://www.linuxsecurity.com/advisories/trustix_advisory-2885.html

 Mandrake Vendor Advisory:
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2896.html



+---------------------------------+
|  Package:  WebTool              | ----------------------------//
|  Date: 02-21-2003               |
+---------------------------------+

Description:
Keigo Yamazaki discovered a vulnerability in miniserv.pl (the webserver
program at the core of the WebTool) which may allow an attacker to spoof a
session ID by including special metacharacters in the BASE64 encoded
string using during the authentication process. This may allow a remote
attacker to gain full administrative privileges over the WebTool.  All
users are recommended to upgrade immediately.

Vendor Alerts:

 EnGarde:
 ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
 noarch/WebTool-1.2-1.0.74.noarch.rpm
 MD5 Sum: 9a77f14ae33c4e3de1bdd0d5a325f0d3

 noarch/WebTool-userpass-1.2-1.0.74.noarch.rpm
 MD5 Sum: 294fc1527f35b22b6db536b16730c25e

 EnGarde Vendor Advisory:
 http://www.linuxsecurity.com/advisories/engarde_advisory-2898.html



+---------------------------------+
|  Package:  snycookie            | ----------------------------//
|  Date: 02-24-2003               |
+---------------------------------+

Description:
Once a syncookie key has been recovered, an attacker may construct valid
ISNs until the key is rotated (typically up to four seconds). The ability
to construct a valid ISN may be used to spoof a TCP connection in exactly
the same way as in the well-known ISN prediction attacks (see
`References'). Spoofing may allow an attacker to bypass IP-based access
control lists such as those implemented by tcp_wrappers and many
firewalls.  Similarly, SMTP and other connections may be forged,
increasing the difficulty of tracing abusers.  Recovery of a syncookie key
will also allow the attacker to reset TCP connections initiated within the
same 31.25ms window.

Vendor Alerts:

 FreeBSD:
  PLEASE SEE VENDOR ADVISORY FOR UPDATE

  FreeBSD Vendor Advisory:
  http://www.linuxsecurity.com/advisories/freebsd_advisory-2888.html




+---------------------------------+
|  Package:  webmin               | ----------------------------//
|  Date: 02-22-2003               |
+---------------------------------+

Description:
Due to a remotely exploitable security hole being discovered that effects
all previous Webmin releases, version 1.070 is now available for download.

Vendor Alerts:

 Gentoo:
  PLEASE SEE VENDOR ADVISORY FOR UPDATE

  Gentoo Vendor Advisory:
  http://www.linuxsecurity.com/advisories/gentoo_advisory-2886.html
  http://www.linuxsecurity.com/advisories/gentoo_advisory-2890.html


 Mandrake:
  Mandrake Vendor Advisory:
  http://www.linuxsecurity.com/advisories/mandrake_advisory-2908.html




+---------------------------------+
|  Package:  acupsd               | ----------------------------//
|  Date: 02-22-2003               |
+---------------------------------+

Description:
A remote root vulnerability in slave setups and some buffer overflows in
the network information server code were discovered by the apcupsd
developers.

Vendor Alerts:

 Gentoo:
  PLEASE SEE VENDOR ADVISORY FOR UPDATE

  Gentoo Vendor Advisory:
  http://www.linuxsecurity.com/advisories/gentoo_advisory-2889.html



+---------------------------------+
|  Package:  tightvnc             | ----------------------------//
|  Date: 02-24-2003               |
+---------------------------------+

Description:
The VNC server acts as an X server, but the script for starting it
generates an MIT X cookie (which is used for X authentication) without
using a strong enough random number generator. This could allow an
attacker to be able to more easily guess the authentication cookie.

Vendor Alerts:

 Gentoo:
  PLEASE SEE VENDOR ADVISORY FOR UPDATE

  Gentoo Vendor Advisory:
  http://www.linuxsecurity.com/advisories/gentoo_advisory-2891.html



+---------------------------------+
|  Package:  vnc                  | ----------------------------//
|  Date: 02-24-2003               |
+---------------------------------+

Description:
The VNC server acts as an X server, but the script for starting it
generates an MIT X cookie (which is used for X authentication) without
using a strong enough random number generator. This could allow an
attacker to be able to more easily guess the authentication cookie.

Vendor Alerts:

 Gentoo:
  PLEASE SEE VENDOR ADVISORY FOR UPDATE

  Gentoo Vendor Advisory:
  http://www.linuxsecurity.com/advisories/gentoo_advisory-2892.html

  Red Hat Vendor Advisory:
  http://www.linuxsecurity.com/advisories/redhat_advisory-2894.html

  Mandrake Vendor Advisory:
  http://www.linuxsecurity.com/advisories/mandrake_advisory-2900.html




+---------------------------------+
|  Package:  vte                  | ----------------------------//
|  Date: 02-24-2003               |
+---------------------------------+

Description:
One feature that most terminal emulators support is the ability for the
shell to set the title of the window using an escape sequence. Certain
xterm variants also provide an escape sequence for reporting the current
window title.  This essentially takes the current title and places it
directly on the command line.  This feature could be potentially exploited
if an attacker can cause carefully crafted escape sequences to be
displayed on a vulnerable terminal emulator used by their victim.

Vendor Alerts:

 Red Hat:
  ftp://updates.redhat.com/8.0/en/os/i386/vte-0.8.19-2.i386.rpm
  a274eeb1dd40afeed45ea2f7601a6bac

  ftp://updates.redhat.com/8.0/en/os/i386/vte-devel-0.8.19-2.i386.rpm

  e4172c1224bc77357a0f0a8c315f2dc5

  Red Hat Vendor Advisory:
  http://www.linuxsecurity.com/advisories/redhat_advisory-2901.html



+---------------------------------+
|  Package:  hypermail            | ----------------------------//
|  Date: 02-24-2003               |
+---------------------------------+

Description:
During an internal source code review done by Thomas Biege several bugs
where found in hypermail and its tools. These bugs allow remote code
execution, local tmp race conditions, denial-of-service conditions and
read access to files belonging to the host hypermail is running on.
Additionally the mail CGI program can be abused by spammers as email-relay
and should thus be disabled.

Vendor Alerts:

 SuSE:
  ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/
  hypermail-2.1.4-58.i586.rpm
  a4b683703b65cb65d0d1b246c2bf652d

  SuSE Vendor Advisory:
  http://www.linuxsecurity.com/advisories/suse_advisory-2905.html



+---------------------------------+
|  Package:  libmcrypt            | ----------------------------//
|  Date: 02-26-2003               |
+---------------------------------+

Description:
Versions of libmcrypt prior to 2.5.5 include several buffer overflows that
can be triggered by passing very long input to the mcrypt functions.

Vendor Alerts:

 SuSE:
  ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/

  i586/libmcrypt-2.5.2-48.i586.rpm
  6dc3127a069545b9cb00cafd9897021f

  SuSE Vendor Advisory:
  http://www.linuxsecurity.com/advisories/suse_advisory-2902.html



+---------------------------------+
|  Package:  openldap             | ----------------------------//
|  Date: 02-20-2003               |
+---------------------------------+

Description:
Several minor security issues where fixed in the new upstream version
1.2.13

Vendor Alerts:

 Trustix:
  ftp://ftp.trustix.net/pub/Trustix/updates/

  ./1.5/RPMS/openldap1-servers-1.2.13-1tr.i586.rpm
  c71ef6c3a75b869d975503ad0e83ce28

  ./1.5/RPMS/openldap1-devel-1.2.13-1tr.i586.rpm
  61075ed423e0eae96eb552d3c758a0fb

  ./1.5/RPMS/openldap1-1.2.13-1tr.i586.rpm
  0c4c1a15002b12f5c2f077e2ce2df869

  Trustix Vendor Advisory:
  http://www.linuxsecurity.com/advisories/trustix_advisory-2882.html



+---------------------------------+
|  Package:  mysql                | ----------------------------//
|  Date: 02-20-2003               |
+---------------------------------+

Description:
The new upstream version of mysql, 3.23.55, included several minor
security fixes.

Vendor Alerts:

 Trustix:
  ftp://ftp.trustix.net/pub/Trustix/updates/

  ./1.5/RPMS/mysql-shared-3.23.55-1tr.i586.rpm
  f00e01e926018961578532eda9702f4f

  ./1.5/RPMS/mysql-devel-3.23.55-1tr.i586.rpm
  4b216ea845e3cb21f32bd7cadbc0d298

  ./1.5/RPMS/mysql-client-3.23.55-1tr.i586.rpm
  9a4ce5a9be56e59191a050ca8e543097

  ./1.5/RPMS/mysql-bench-3.23.55-1tr.i586.rpm
  a5f91d90674586626d1cf3aff3129c7e

  ./1.5/RPMS/mysql-3.23.55-1tr.i586.rpm
  094d0947f8b7c0b9bfa6e0dde0a66bb4

  Trustix Vendor Advisory:
  http://www.linuxsecurity.com/advisories/trustix_advisory-2883.html



+---------------------------------+
|  Package:  postgresql           | ----------------------------//
|  Date: 02-20-2003               |
+---------------------------------+

Description:
The new upstream version of postgresql, 7.1.3, included several minor
security fixes.

Vendor Alerts:

 Trustix:
  ftp://ftp.trustix.net/pub/Trustix/updates/

  PLEASE SEE VENDOR ADVISORY FOR UPDATE

  Trustix Vendor Advisory:
  http://www.linuxsecurity.com/advisories/trustix_advisory-2884.html



+---------------------------------+
|  Package:  initscripts          | ----------------------------//
|  Date: 02-20-2003               |
+---------------------------------+

Description:
A dependency loop exists between several package including initscripts,
pam and SysVinit, that causes the installer to complaint. This update
removes the loop, as it was not needed.

Vendor Alerts:

 Trustix:
  PLEASE SEE VENDOR ADVISORY FOR UPDATE

  Trustix Vendor Advisory:
  http://www.linuxsecurity.com/advisories/trustix_advisory-2881.html



+---------------------------------+
|  Package:  krb5                 | ----------------------------//
|  Date: 02-21-2003               |
+---------------------------------+

Description:
A vulnerability was discovered in the Kerberos FTP client.  When the
client retrieves a file that has a filename beginning with a pipe
character, the FTP client will pass that filename to the command shell in
a system() call.  This could allow a malicious remote FTP server to write
to files outside of the current directory or even execute arbitrary
commands as the user using the FTP client.

Vendor Alerts:

 Mandrake:
  PLEASE SEE VENDOR ADVISORY FOR UPDATE

  Mandrake Vendor Advisory:
  http://www.linuxsecurity.com/advisories/mandrake_advisory-2895.html



+---------------------------------+
|  Package:  lynx                 | ----------------------------//
|  Date: 02-21-2003               |
+---------------------------------+

Description:
A vulnerability was discovered in lynx, a text-mode web browser.  The HTTP
queries that lynx constructs are from arguments on the command line or the
$WWW_HOME environment variable, but lynx does not properly sanitize
special characters such as carriage returns or linefeeds. Extra headers
can be inserted into the request because of this, which can cause scripts
that use lynx to fetch data from the wrong site from servers that use
virtual hosting.

Vendor Alerts:

 Mandrake:
  9.0/RPMS/lynx-2.8.5-0.10mdk.dev.8.i586.rpm
  59fd26d160a9168588b3dde6a0405c5e
  http://www.mandrakesecure.net/en/ftp.php

  Mandrake Vendor Advisory:
  http://www.linuxsecurity.com/advisories/mandrake_advisory-2899.html



+---------------------------------+
|  Package:  shadow-utils         | ----------------------------//
|  Date: 02-21-2003               |
+---------------------------------+

Description:
The shadow-utils package contains the tool useradd, which is used to
create or update new user information. When useradd creates an account, it
would create it with improper permissions; instead of having it owned by
the group mail, it would be owned by the user's primary group. If this is
a shared group (ie. "users"), then all members of the shared group would
be able to obtain access to the mail spools of other members of the same
group.  A patch to useradd has been applied to correct this problem.

Vendor Alerts:

  Mandrake:
  9.0/RPMS/shadow-utils-20000902-8.1mdk.i586.rpm
  4aec1f507ffde87dd10299f31cb20b84
  http://www.mandrakesecure.net/en/ftp.php

  Mandrake Vendor Advisory:
  http://www.linuxsecurity.com/advisories/mandrake_advisory-2907.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux