+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| February 28th, 2002 Volume 4, Number 9a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@linuxsecurity.com ben@linuxsecurity.com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for slocate, nanog, tcpdump, kde,
openssl, WebTool, syncookie, webmin, acupsd, tightvnc, vnc, vte,
hypermail, libmcrypt, openldap, mysql, postgresql, initscripts, krb5,
lynx, and shadow-utils. The distributors include Conectiva, Debian,
Guardian Digital's EnGarde Secure Linux, Gentoo, Mandrake, Red Hat, SuSE,
and Trustix.
#### Concerned about the next threat? ####
#### EnGarde is the undisputed winner! ####
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice
award thanks to the depth of its security strategy..." Find out what the
other Linux vendors are not telling you.
http://store.guardiandigital.com/html/eng/products/software/esp_overview.shtml
Remote Syslog with MySQL and PHP
Msyslog has the ability to log syslog messages to a database. This allows
for easier monitoring of multiple servers and the ability to be display
and search for syslog messages using PHP or any other programming language
that can communicate with the database.by that, too.
http://www.linuxsecurity.com/feature_stories/feature_story-138.html
Review: Mastering Network Security, Second Edition - The introduction
states that this book is aimed at systems administrators who are not
security experts, but have some responsibility for ensuring the integrity
of their systems. That would seem to cover most sysadmins.
http://www.linuxsecurity.com/feature_stories/feature_story-137.html
+---------------------------------+
| Package: slocate | ----------------------------//
| Date: 02-21-2003 |
+---------------------------------+
Description:
A problem has been discovered in slocate, a secure locate replacement. A
buffer overflow in the setuid program slocate can be used to execute
arbitrary code as superuser.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/s/
slocate/slocate_2.6-1.3.1_i386.deb
Size/MD5 checksum: 24788 9c9121191ee8ce7321bda76b3bb0c8fa
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2880.html
+---------------------------------+
| Package: nanog | ----------------------------//
| Date: 02-27-2003 |
+---------------------------------+
Description:
A vulnerability has been discovered in NANOG traceroute, an enhanced
version of the Van Jacobson/BSD traceroute program. A buffer overflow
occurs in the 'get_origin()' function. Due to insufficient bounds
checking performed by the whois parser, it may be possible to corrupt
memory on the system stack. This vulnerability can be exploited by a
remote attacker to gain root privileges on a target host. Though, most
probably not in Debian.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/t/traceroute-nanog/
traceroute-nanog_6.0-2.2_i386.deb
Size/MD5 checksum: 18588 78445b5c9cbef332d14f22e40dce094b
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2906.html
+---------------------------------+
| Package: tcpdump | ----------------------------//
| Date: 02-27-2003 |
+---------------------------------+
Description:
Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a
powerful tool for network monitoring and data acquisition. An attacker is
able to send a specially crafted network packet which causes tcpdump to
enter an infinite loop.
Vendor Alerts:
Debian:
http://security.debian.org/pool/updates/main/t/
tcpdump/tcpdump_3.6.2-2.3_i386.deb
Size/MD5 checksum: 169482 2e6aadf125c8e7bbde3d0dd162201480
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2909.html
+---------------------------------+
| Package: kde | ----------------------------//
| Date: 02-20-2003 |
+---------------------------------+
Description:
This is a full update of the KDE desktop to the 3.0.5a version, the latest
3.0.x release from the KDE project[1]. Besides containing several bugfixes
and enhancements, this update also fixes several security
vulnerabilities[2] found during an internal code audit organized by the
KDE team.
Vendor Alerts:
Conectiva:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/connectiva_advisory-2879.html
+---------------------------------+
| Package: openssl | ----------------------------//
| Date: 02-21-2003 |
+---------------------------------+
Description:
Vulnerable[2][3] openssl versions do not perform a MAC computation if an
incorrect block cipher padding is used. An active attacker who can insert
data into an existing encrypted connection is then able to measure time
differences between the error messages the server sends. This information
can make it easier to launch cryptographic attacks that rely on
distinguishing between padding and MAC verification errors, possibly
leading to extraction of the original plaintext.
Vendor Alerts:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Conectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/connectiva_advisory-2893.html
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-2887.html
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2903.html
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2904.html
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/trustix_advisory-2885.html
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2896.html
+---------------------------------+
| Package: WebTool | ----------------------------//
| Date: 02-21-2003 |
+---------------------------------+
Description:
Keigo Yamazaki discovered a vulnerability in miniserv.pl (the webserver
program at the core of the WebTool) which may allow an attacker to spoof a
session ID by including special metacharacters in the BASE64 encoded
string using during the authentication process. This may allow a remote
attacker to gain full administrative privileges over the WebTool. All
users are recommended to upgrade immediately.
Vendor Alerts:
EnGarde:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
noarch/WebTool-1.2-1.0.74.noarch.rpm
MD5 Sum: 9a77f14ae33c4e3de1bdd0d5a325f0d3
noarch/WebTool-userpass-1.2-1.0.74.noarch.rpm
MD5 Sum: 294fc1527f35b22b6db536b16730c25e
EnGarde Vendor Advisory:
http://www.linuxsecurity.com/advisories/engarde_advisory-2898.html
+---------------------------------+
| Package: snycookie | ----------------------------//
| Date: 02-24-2003 |
+---------------------------------+
Description:
Once a syncookie key has been recovered, an attacker may construct valid
ISNs until the key is rotated (typically up to four seconds). The ability
to construct a valid ISN may be used to spoof a TCP connection in exactly
the same way as in the well-known ISN prediction attacks (see
`References'). Spoofing may allow an attacker to bypass IP-based access
control lists such as those implemented by tcp_wrappers and many
firewalls. Similarly, SMTP and other connections may be forged,
increasing the difficulty of tracing abusers. Recovery of a syncookie key
will also allow the attacker to reset TCP connections initiated within the
same 31.25ms window.
Vendor Alerts:
FreeBSD:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-2888.html
+---------------------------------+
| Package: webmin | ----------------------------//
| Date: 02-22-2003 |
+---------------------------------+
Description:
Due to a remotely exploitable security hole being discovered that effects
all previous Webmin releases, version 1.070 is now available for download.
Vendor Alerts:
Gentoo:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/gentoo_advisory-2886.html
http://www.linuxsecurity.com/advisories/gentoo_advisory-2890.html
Mandrake:
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2908.html
+---------------------------------+
| Package: acupsd | ----------------------------//
| Date: 02-22-2003 |
+---------------------------------+
Description:
A remote root vulnerability in slave setups and some buffer overflows in
the network information server code were discovered by the apcupsd
developers.
Vendor Alerts:
Gentoo:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/gentoo_advisory-2889.html
+---------------------------------+
| Package: tightvnc | ----------------------------//
| Date: 02-24-2003 |
+---------------------------------+
Description:
The VNC server acts as an X server, but the script for starting it
generates an MIT X cookie (which is used for X authentication) without
using a strong enough random number generator. This could allow an
attacker to be able to more easily guess the authentication cookie.
Vendor Alerts:
Gentoo:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/gentoo_advisory-2891.html
+---------------------------------+
| Package: vnc | ----------------------------//
| Date: 02-24-2003 |
+---------------------------------+
Description:
The VNC server acts as an X server, but the script for starting it
generates an MIT X cookie (which is used for X authentication) without
using a strong enough random number generator. This could allow an
attacker to be able to more easily guess the authentication cookie.
Vendor Alerts:
Gentoo:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/gentoo_advisory-2892.html
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2894.html
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2900.html
+---------------------------------+
| Package: vte | ----------------------------//
| Date: 02-24-2003 |
+---------------------------------+
Description:
One feature that most terminal emulators support is the ability for the
shell to set the title of the window using an escape sequence. Certain
xterm variants also provide an escape sequence for reporting the current
window title. This essentially takes the current title and places it
directly on the command line. This feature could be potentially exploited
if an attacker can cause carefully crafted escape sequences to be
displayed on a vulnerable terminal emulator used by their victim.
Vendor Alerts:
Red Hat:
ftp://updates.redhat.com/8.0/en/os/i386/vte-0.8.19-2.i386.rpm
a274eeb1dd40afeed45ea2f7601a6bac
ftp://updates.redhat.com/8.0/en/os/i386/vte-devel-0.8.19-2.i386.rpm
e4172c1224bc77357a0f0a8c315f2dc5
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-2901.html
+---------------------------------+
| Package: hypermail | ----------------------------//
| Date: 02-24-2003 |
+---------------------------------+
Description:
During an internal source code review done by Thomas Biege several bugs
where found in hypermail and its tools. These bugs allow remote code
execution, local tmp race conditions, denial-of-service conditions and
read access to files belonging to the host hypermail is running on.
Additionally the mail CGI program can be abused by spammers as email-relay
and should thus be disabled.
Vendor Alerts:
SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/
hypermail-2.1.4-58.i586.rpm
a4b683703b65cb65d0d1b246c2bf652d
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2905.html
+---------------------------------+
| Package: libmcrypt | ----------------------------//
| Date: 02-26-2003 |
+---------------------------------+
Description:
Versions of libmcrypt prior to 2.5.5 include several buffer overflows that
can be triggered by passing very long input to the mcrypt functions.
Vendor Alerts:
SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/
i586/libmcrypt-2.5.2-48.i586.rpm
6dc3127a069545b9cb00cafd9897021f
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-2902.html
+---------------------------------+
| Package: openldap | ----------------------------//
| Date: 02-20-2003 |
+---------------------------------+
Description:
Several minor security issues where fixed in the new upstream version
1.2.13
Vendor Alerts:
Trustix:
ftp://ftp.trustix.net/pub/Trustix/updates/
./1.5/RPMS/openldap1-servers-1.2.13-1tr.i586.rpm
c71ef6c3a75b869d975503ad0e83ce28
./1.5/RPMS/openldap1-devel-1.2.13-1tr.i586.rpm
61075ed423e0eae96eb552d3c758a0fb
./1.5/RPMS/openldap1-1.2.13-1tr.i586.rpm
0c4c1a15002b12f5c2f077e2ce2df869
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/trustix_advisory-2882.html
+---------------------------------+
| Package: mysql | ----------------------------//
| Date: 02-20-2003 |
+---------------------------------+
Description:
The new upstream version of mysql, 3.23.55, included several minor
security fixes.
Vendor Alerts:
Trustix:
ftp://ftp.trustix.net/pub/Trustix/updates/
./1.5/RPMS/mysql-shared-3.23.55-1tr.i586.rpm
f00e01e926018961578532eda9702f4f
./1.5/RPMS/mysql-devel-3.23.55-1tr.i586.rpm
4b216ea845e3cb21f32bd7cadbc0d298
./1.5/RPMS/mysql-client-3.23.55-1tr.i586.rpm
9a4ce5a9be56e59191a050ca8e543097
./1.5/RPMS/mysql-bench-3.23.55-1tr.i586.rpm
a5f91d90674586626d1cf3aff3129c7e
./1.5/RPMS/mysql-3.23.55-1tr.i586.rpm
094d0947f8b7c0b9bfa6e0dde0a66bb4
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/trustix_advisory-2883.html
+---------------------------------+
| Package: postgresql | ----------------------------//
| Date: 02-20-2003 |
+---------------------------------+
Description:
The new upstream version of postgresql, 7.1.3, included several minor
security fixes.
Vendor Alerts:
Trustix:
ftp://ftp.trustix.net/pub/Trustix/updates/
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/trustix_advisory-2884.html
+---------------------------------+
| Package: initscripts | ----------------------------//
| Date: 02-20-2003 |
+---------------------------------+
Description:
A dependency loop exists between several package including initscripts,
pam and SysVinit, that causes the installer to complaint. This update
removes the loop, as it was not needed.
Vendor Alerts:
Trustix:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/trustix_advisory-2881.html
+---------------------------------+
| Package: krb5 | ----------------------------//
| Date: 02-21-2003 |
+---------------------------------+
Description:
A vulnerability was discovered in the Kerberos FTP client. When the
client retrieves a file that has a filename beginning with a pipe
character, the FTP client will pass that filename to the command shell in
a system() call. This could allow a malicious remote FTP server to write
to files outside of the current directory or even execute arbitrary
commands as the user using the FTP client.
Vendor Alerts:
Mandrake:
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2895.html
+---------------------------------+
| Package: lynx | ----------------------------//
| Date: 02-21-2003 |
+---------------------------------+
Description:
A vulnerability was discovered in lynx, a text-mode web browser. The HTTP
queries that lynx constructs are from arguments on the command line or the
$WWW_HOME environment variable, but lynx does not properly sanitize
special characters such as carriage returns or linefeeds. Extra headers
can be inserted into the request because of this, which can cause scripts
that use lynx to fetch data from the wrong site from servers that use
virtual hosting.
Vendor Alerts:
Mandrake:
9.0/RPMS/lynx-2.8.5-0.10mdk.dev.8.i586.rpm
59fd26d160a9168588b3dde6a0405c5e
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2899.html
+---------------------------------+
| Package: shadow-utils | ----------------------------//
| Date: 02-21-2003 |
+---------------------------------+
Description:
The shadow-utils package contains the tool useradd, which is used to
create or update new user information. When useradd creates an account, it
would create it with improper permissions; instead of having it owned by
the group mail, it would be owned by the user's primary group. If this is
a shared group (ie. "users"), then all members of the shared group would
be able to obtain access to the mail spools of other members of the same
group. A patch to useradd has been applied to correct this problem.
Vendor Alerts:
Mandrake:
9.0/RPMS/shadow-utils-20000902-8.1mdk.i586.rpm
4aec1f507ffde87dd10299f31cb20b84
http://www.mandrakesecure.net/en/ftp.php
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-2907.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
