+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | February 28th, 2002 Volume 4, Number 9a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@linuxsecurity.com ben@linuxsecurity.com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilitiaes that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for slocate, nanog, tcpdump, kde, openssl, WebTool, syncookie, webmin, acupsd, tightvnc, vnc, vte, hypermail, libmcrypt, openldap, mysql, postgresql, initscripts, krb5, lynx, and shadow-utils. The distributors include Conectiva, Debian, Guardian Digital's EnGarde Secure Linux, Gentoo, Mandrake, Red Hat, SuSE, and Trustix. #### Concerned about the next threat? #### #### EnGarde is the undisputed winner! #### Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://store.guardiandigital.com/html/eng/products/software/esp_overview.shtml Remote Syslog with MySQL and PHP Msyslog has the ability to log syslog messages to a database. This allows for easier monitoring of multiple servers and the ability to be display and search for syslog messages using PHP or any other programming language that can communicate with the database.by that, too. http://www.linuxsecurity.com/feature_stories/feature_story-138.html Review: Mastering Network Security, Second Edition - The introduction states that this book is aimed at systems administrators who are not security experts, but have some responsibility for ensuring the integrity of their systems. That would seem to cover most sysadmins. http://www.linuxsecurity.com/feature_stories/feature_story-137.html +---------------------------------+ | Package: slocate | ----------------------------// | Date: 02-21-2003 | +---------------------------------+ Description: A problem has been discovered in slocate, a secure locate replacement. A buffer overflow in the setuid program slocate can be used to execute arbitrary code as superuser. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/s/ slocate/slocate_2.6-1.3.1_i386.deb Size/MD5 checksum: 24788 9c9121191ee8ce7321bda76b3bb0c8fa Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2880.html +---------------------------------+ | Package: nanog | ----------------------------// | Date: 02-27-2003 | +---------------------------------+ Description: A vulnerability has been discovered in NANOG traceroute, an enhanced version of the Van Jacobson/BSD traceroute program. A buffer overflow occurs in the 'get_origin()' function. Due to insufficient bounds checking performed by the whois parser, it may be possible to corrupt memory on the system stack. This vulnerability can be exploited by a remote attacker to gain root privileges on a target host. Though, most probably not in Debian. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/t/traceroute-nanog/ traceroute-nanog_6.0-2.2_i386.deb Size/MD5 checksum: 18588 78445b5c9cbef332d14f22e40dce094b Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2906.html +---------------------------------+ | Package: tcpdump | ----------------------------// | Date: 02-27-2003 | +---------------------------------+ Description: Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a powerful tool for network monitoring and data acquisition. An attacker is able to send a specially crafted network packet which causes tcpdump to enter an infinite loop. Vendor Alerts: Debian: http://security.debian.org/pool/updates/main/t/ tcpdump/tcpdump_3.6.2-2.3_i386.deb Size/MD5 checksum: 169482 2e6aadf125c8e7bbde3d0dd162201480 Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2909.html +---------------------------------+ | Package: kde | ----------------------------// | Date: 02-20-2003 | +---------------------------------+ Description: This is a full update of the KDE desktop to the 3.0.5a version, the latest 3.0.x release from the KDE project[1]. Besides containing several bugfixes and enhancements, this update also fixes several security vulnerabilities[2] found during an internal code audit organized by the KDE team. Vendor Alerts: Conectiva: PLEASE SEE VENDOR ADVISORY FOR UPDATE Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/connectiva_advisory-2879.html +---------------------------------+ | Package: openssl | ----------------------------// | Date: 02-21-2003 | +---------------------------------+ Description: Vulnerable[2][3] openssl versions do not perform a MAC computation if an incorrect block cipher padding is used. An active attacker who can insert data into an existing encrypted connection is then able to measure time differences between the error messages the server sends. This information can make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext. Vendor Alerts: PLEASE SEE VENDOR ADVISORY FOR UPDATE Conectiva Vendor Advisory: http://www.linuxsecurity.com/advisories/connectiva_advisory-2893.html Debian Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-2887.html FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2903.html SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2904.html Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/trustix_advisory-2885.html Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2896.html +---------------------------------+ | Package: WebTool | ----------------------------// | Date: 02-21-2003 | +---------------------------------+ Description: Keigo Yamazaki discovered a vulnerability in miniserv.pl (the webserver program at the core of the WebTool) which may allow an attacker to spoof a session ID by including special metacharacters in the BASE64 encoded string using during the authentication process. This may allow a remote attacker to gain full administrative privileges over the WebTool. All users are recommended to upgrade immediately. Vendor Alerts: EnGarde: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ noarch/WebTool-1.2-1.0.74.noarch.rpm MD5 Sum: 9a77f14ae33c4e3de1bdd0d5a325f0d3 noarch/WebTool-userpass-1.2-1.0.74.noarch.rpm MD5 Sum: 294fc1527f35b22b6db536b16730c25e EnGarde Vendor Advisory: http://www.linuxsecurity.com/advisories/engarde_advisory-2898.html +---------------------------------+ | Package: snycookie | ----------------------------// | Date: 02-24-2003 | +---------------------------------+ Description: Once a syncookie key has been recovered, an attacker may construct valid ISNs until the key is rotated (typically up to four seconds). The ability to construct a valid ISN may be used to spoof a TCP connection in exactly the same way as in the well-known ISN prediction attacks (see `References'). Spoofing may allow an attacker to bypass IP-based access control lists such as those implemented by tcp_wrappers and many firewalls. Similarly, SMTP and other connections may be forged, increasing the difficulty of tracing abusers. Recovery of a syncookie key will also allow the attacker to reset TCP connections initiated within the same 31.25ms window. Vendor Alerts: FreeBSD: PLEASE SEE VENDOR ADVISORY FOR UPDATE FreeBSD Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-2888.html +---------------------------------+ | Package: webmin | ----------------------------// | Date: 02-22-2003 | +---------------------------------+ Description: Due to a remotely exploitable security hole being discovered that effects all previous Webmin releases, version 1.070 is now available for download. Vendor Alerts: Gentoo: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/gentoo_advisory-2886.html http://www.linuxsecurity.com/advisories/gentoo_advisory-2890.html Mandrake: Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2908.html +---------------------------------+ | Package: acupsd | ----------------------------// | Date: 02-22-2003 | +---------------------------------+ Description: A remote root vulnerability in slave setups and some buffer overflows in the network information server code were discovered by the apcupsd developers. Vendor Alerts: Gentoo: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/gentoo_advisory-2889.html +---------------------------------+ | Package: tightvnc | ----------------------------// | Date: 02-24-2003 | +---------------------------------+ Description: The VNC server acts as an X server, but the script for starting it generates an MIT X cookie (which is used for X authentication) without using a strong enough random number generator. This could allow an attacker to be able to more easily guess the authentication cookie. Vendor Alerts: Gentoo: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/gentoo_advisory-2891.html +---------------------------------+ | Package: vnc | ----------------------------// | Date: 02-24-2003 | +---------------------------------+ Description: The VNC server acts as an X server, but the script for starting it generates an MIT X cookie (which is used for X authentication) without using a strong enough random number generator. This could allow an attacker to be able to more easily guess the authentication cookie. Vendor Alerts: Gentoo: PLEASE SEE VENDOR ADVISORY FOR UPDATE Gentoo Vendor Advisory: http://www.linuxsecurity.com/advisories/gentoo_advisory-2892.html Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2894.html Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2900.html +---------------------------------+ | Package: vte | ----------------------------// | Date: 02-24-2003 | +---------------------------------+ Description: One feature that most terminal emulators support is the ability for the shell to set the title of the window using an escape sequence. Certain xterm variants also provide an escape sequence for reporting the current window title. This essentially takes the current title and places it directly on the command line. This feature could be potentially exploited if an attacker can cause carefully crafted escape sequences to be displayed on a vulnerable terminal emulator used by their victim. Vendor Alerts: Red Hat: ftp://updates.redhat.com/8.0/en/os/i386/vte-0.8.19-2.i386.rpm a274eeb1dd40afeed45ea2f7601a6bac ftp://updates.redhat.com/8.0/en/os/i386/vte-devel-0.8.19-2.i386.rpm e4172c1224bc77357a0f0a8c315f2dc5 Red Hat Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-2901.html +---------------------------------+ | Package: hypermail | ----------------------------// | Date: 02-24-2003 | +---------------------------------+ Description: During an internal source code review done by Thomas Biege several bugs where found in hypermail and its tools. These bugs allow remote code execution, local tmp race conditions, denial-of-service conditions and read access to files belonging to the host hypermail is running on. Additionally the mail CGI program can be abused by spammers as email-relay and should thus be disabled. Vendor Alerts: SuSE: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/ hypermail-2.1.4-58.i586.rpm a4b683703b65cb65d0d1b246c2bf652d SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2905.html +---------------------------------+ | Package: libmcrypt | ----------------------------// | Date: 02-26-2003 | +---------------------------------+ Description: Versions of libmcrypt prior to 2.5.5 include several buffer overflows that can be triggered by passing very long input to the mcrypt functions. Vendor Alerts: SuSE: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/ i586/libmcrypt-2.5.2-48.i586.rpm 6dc3127a069545b9cb00cafd9897021f SuSE Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-2902.html +---------------------------------+ | Package: openldap | ----------------------------// | Date: 02-20-2003 | +---------------------------------+ Description: Several minor security issues where fixed in the new upstream version 1.2.13 Vendor Alerts: Trustix: ftp://ftp.trustix.net/pub/Trustix/updates/ ./1.5/RPMS/openldap1-servers-1.2.13-1tr.i586.rpm c71ef6c3a75b869d975503ad0e83ce28 ./1.5/RPMS/openldap1-devel-1.2.13-1tr.i586.rpm 61075ed423e0eae96eb552d3c758a0fb ./1.5/RPMS/openldap1-1.2.13-1tr.i586.rpm 0c4c1a15002b12f5c2f077e2ce2df869 Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/trustix_advisory-2882.html +---------------------------------+ | Package: mysql | ----------------------------// | Date: 02-20-2003 | +---------------------------------+ Description: The new upstream version of mysql, 3.23.55, included several minor security fixes. Vendor Alerts: Trustix: ftp://ftp.trustix.net/pub/Trustix/updates/ ./1.5/RPMS/mysql-shared-3.23.55-1tr.i586.rpm f00e01e926018961578532eda9702f4f ./1.5/RPMS/mysql-devel-3.23.55-1tr.i586.rpm 4b216ea845e3cb21f32bd7cadbc0d298 ./1.5/RPMS/mysql-client-3.23.55-1tr.i586.rpm 9a4ce5a9be56e59191a050ca8e543097 ./1.5/RPMS/mysql-bench-3.23.55-1tr.i586.rpm a5f91d90674586626d1cf3aff3129c7e ./1.5/RPMS/mysql-3.23.55-1tr.i586.rpm 094d0947f8b7c0b9bfa6e0dde0a66bb4 Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/trustix_advisory-2883.html +---------------------------------+ | Package: postgresql | ----------------------------// | Date: 02-20-2003 | +---------------------------------+ Description: The new upstream version of postgresql, 7.1.3, included several minor security fixes. Vendor Alerts: Trustix: ftp://ftp.trustix.net/pub/Trustix/updates/ PLEASE SEE VENDOR ADVISORY FOR UPDATE Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/trustix_advisory-2884.html +---------------------------------+ | Package: initscripts | ----------------------------// | Date: 02-20-2003 | +---------------------------------+ Description: A dependency loop exists between several package including initscripts, pam and SysVinit, that causes the installer to complaint. This update removes the loop, as it was not needed. Vendor Alerts: Trustix: PLEASE SEE VENDOR ADVISORY FOR UPDATE Trustix Vendor Advisory: http://www.linuxsecurity.com/advisories/trustix_advisory-2881.html +---------------------------------+ | Package: krb5 | ----------------------------// | Date: 02-21-2003 | +---------------------------------+ Description: A vulnerability was discovered in the Kerberos FTP client. When the client retrieves a file that has a filename beginning with a pipe character, the FTP client will pass that filename to the command shell in a system() call. This could allow a malicious remote FTP server to write to files outside of the current directory or even execute arbitrary commands as the user using the FTP client. Vendor Alerts: Mandrake: PLEASE SEE VENDOR ADVISORY FOR UPDATE Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2895.html +---------------------------------+ | Package: lynx | ----------------------------// | Date: 02-21-2003 | +---------------------------------+ Description: A vulnerability was discovered in lynx, a text-mode web browser. The HTTP queries that lynx constructs are from arguments on the command line or the $WWW_HOME environment variable, but lynx does not properly sanitize special characters such as carriage returns or linefeeds. Extra headers can be inserted into the request because of this, which can cause scripts that use lynx to fetch data from the wrong site from servers that use virtual hosting. Vendor Alerts: Mandrake: 9.0/RPMS/lynx-2.8.5-0.10mdk.dev.8.i586.rpm 59fd26d160a9168588b3dde6a0405c5e http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2899.html +---------------------------------+ | Package: shadow-utils | ----------------------------// | Date: 02-21-2003 | +---------------------------------+ Description: The shadow-utils package contains the tool useradd, which is used to create or update new user information. When useradd creates an account, it would create it with improper permissions; instead of having it owned by the group mail, it would be owned by the user's primary group. If this is a shared group (ie. "users"), then all members of the shared group would be able to obtain access to the mail spools of other members of the same group. A patch to useradd has been applied to correct this problem. Vendor Alerts: Mandrake: 9.0/RPMS/shadow-utils-20000902-8.1mdk.i586.rpm 4aec1f507ffde87dd10299f31cb20b84 http://www.mandrakesecure.net/en/ftp.php Mandrake Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-2907.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------