+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| April 11th, 2002 Volume 4, Number 14a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilitiaes that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for snort, sendmail, samba, dhcp,
file, kernel ptrace, zlib, man, mutt, metrics, moxftp, glibc, heimdal,
seti, kde, apache, cvs, kerberos, mysql, httpd, and openssl. The
distributors include Conectiva, Debian, Gentoo, Immunix, FreeBSD,
Mandrake, Slackware, SuSE, and Trustix.
* Comprehensive SPAM Protection! - Guardian Digital's Secure Mail Suite is
unparalleled in security, ease of management, and features. Open source
technology constantly adapts to new threats. Email firewall, simplified
administration, automatically updated.
--> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews2
-----------------------------
LinuxSecurity Feature Extras:
-----------------------------
Making It Big: Large Scale Network Forensics (Part 2 of 2) - Proper
methodology for computer forensics would involve a laundry-list of actions
and thought processes that an investigator needs to consider in order to
have the basics covered.
http://www.linuxsecurity.com/feature_stories/feature_story-140.html
Making It Big: Large Scale Network Forensics (Part 1 of 2) - Computer
forensics have hit the big time. A previously superniche technology,
forensics have moved into the collective consciousness of IT sys. admins.
and Corporate CSOs.
http://www.linuxsecurity.com/feature_stories/feature_story-139.html
+---------------------------------+
| Package: snort | ----------------------------//
+---------------------------------+
Description:
A remote atacker able to insert specially crafted RPC traffic in the
network being monitored by snort may crash the sensor or execute arbitrary
code in the context of it, which is run by the root user.
Vendor Alerts:
Conectiva:
Contectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/connectiva_advisory-3114.html
+---------------------------------+
| Package: sendmail | ----------------------------//
+---------------------------------+
Description:
It is believed to be possible for remote attackers to cause a Denial of
Service condition and to even execute arbitrary commands with the same
permissions under which the sendmail daemon runs, which is root.
Vendor Alerts:
Conectiva:
Contectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/connectiva_advisory-3115.html
Debian:
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-3119.html
NetBSD:
NetBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-3121.html
Slackware:
Slackware Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-3086.html
+---------------------------------+
| Package: samba | ----------------------------//
+---------------------------------+
Description:
The SuSE Security Team performed a security audit in parts of the Samba
project code and found various problems in both the client and server
implementations. Among these problems is a buffer overflow[1]
vulnerability in the packet fragment re-assembly code. A remote attacker
who is able to connect to the samba server may gain root privileges on it
by exploiting this vulnerability. The vulnerability also affects the
client library code, thus it is possible to exploit applications which use
samba library functions by using a malicious samba server to send traffic
to them. Additionally, a race condition[2] was discovered which could
allow a local attacker to overwrite critical system files.
Vendor Alerts:
Conectiva:
Contectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/connectiva_advisory-3116.html
http://www.linuxsecurity.com/advisories/connectiva_advisory-3142.html
Debian:
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-3127.html
Gentoo:
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/gentoo_advisory-3146.html
Immunix:
Immunix Vendor Advisory:
http://www.linuxsecurity.com/advisories/immunix_advisory-3129.html
Mandrake:
Mandrake Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-3135.html
Red Hat:
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-3148.html
Slackware:
Slackware Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-3138.html
SuSE:
SuSE Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-3139.html
Trustix:
Trustix Vendor Advisory:
http://www.linuxsecurity.com/advisories/trustix_advisory-3140.html
+---------------------------------+
| Package: dhcp | ----------------------------//
+---------------------------------+
Description:
Florian Lohoff discovered[2] a vulnerability[3,4] in the way dhcrelay
(part of the dhcp package) forwards malicious BOOTP packets it receives to
the dhcp servers it contacts. An attacker could exploit this vulnerability
to generate a "storm" of BOOTP packets, causing a denial of service
condition or a misbehavior by the part of the dhcp server.
Vendor Alerts:
Conectiva:
Contectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/connectiva_advisory-3117.html
Turbo Linux:
Turbo Linux Vendor Advisory:
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3113.html
+---------------------------------+
| Package: file | ----------------------------//
+---------------------------------+
Description:
iDefense has found a buffer overflow vulnerability[1] in the file command.
This vulnerability can be triggered by the use of specially crafted files.
Vendor Alerts:
Conectiva:
Contectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/connectiva_advisory-3122.html
+---------------------------------+
| Package: kernel ptrace | ----------------------------//
+---------------------------------+
Description:
When a process requires a feature that a certain kernel module provides,
the kernel will spawn a child process, give it root privileges and call
/sbin/modprobe to load that module. A local attacker can create such a
process, make it request a kernel module and wait for the child process to
be spawned. Before the privilege change, the attacker can attach to this
child process and insert code that will later be run with root privileges.
Vendor Alerts:
Conectiva:
Contectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/connectiva_advisory-3123.html
Red Hat:
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-3149.html
+---------------------------------+
| Package: zlib | ----------------------------//
+---------------------------------+
Description:
Richard Kettlewell discovered[1] a buffer overflow vulnerability[2] in the
gzprintf() function provided by zlib. If a program passes unsafe data to
this function (e.g. data from remote images or network traffic), it is
possible for a remote attacker to execute arbitrary code or to cause a
denial of service in such programs.
Vendor Alerts:
Conectiva:
Contectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/connectiva_advisory-3131.html
+---------------------------------+
| Package: man | ----------------------------//
+---------------------------------+
Description:
Jack Lloyd found[1] a local vulnerability in the man utility. Because of a
problem with a value returned by the my_xsprintf() function, man could try
to execute a program called "unsafe" when reading a manpage file with
certain characteristics. If an attacker can put a malicious executable
file called "unsafe" in the system PATH and let a user open a specially
created manpage, it could run arbitrary commands with the privileges of
this user.
Vendor Alerts:
Conectiva:
Contectiva Vendor Advisory:
http://www.linuxsecurity.com/advisories/connectiva_advisory-3132.html
+---------------------------------+
| Package: mutt | ----------------------------//
+---------------------------------+
Description:
Byrial Jensen discovered a couple of off-by-one buffer overflow in the
IMAP code of Mutt, a text-oriented mail reader supporting IMAP, MIME, GPG,
PGP and threading. This problem could potentially allow a remote
malicious IMAP server to cause a denial of service (crash) and possibly
execute arbitrary code via a specially crafted mail folder.
Vendor Alerts:
Debian:
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-3124.html
Red Hat:
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-3111.html
Slackware:
Slackware Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-3087.html
+---------------------------------+
| Package: metrics | ----------------------------//
+---------------------------------+
Description:
Paul Szabo and Matt Zimmerman discoverd two similar problems in metrics, a
tools for software metrics. Two scripts in this package, "halstead" and
"gather_stats", open temporary files without taking appropriate security
precautions. "halstead" is installed as a user program, while
"gather_stats" is only used in an auxiliary script included in the source
code. These vulnerabilities could allow a local attacker to overwrite
files owned by the user running the scripts, including root.
Vendor Alerts:
Debian:
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-3125.html
+---------------------------------+
| Package: moxftp | ----------------------------//
+---------------------------------+
Description:
Knud Erik Hjgaard discovered a vulnerability in moxftp (and xftp
respectively), an Athena X interface to FTP. Insufficient bounds checking
could lead to execution of arbitrary code, provided by a malicious FTP
server. Erik Tews fixed this.
Vendor Alerts:
Debian:
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-3143.html
+---------------------------------+
| Package: glibc | ----------------------------//
+---------------------------------+
Description:
eEye Digital Security discovered an integer overflow in the
xdrmem_getbytes() function which is also present in GNU libc. This
function is part of the XDR (external data representation) encoder/decoder
derived from Sun's RPC implementation. Depending upon the application,
this vulnerability can cause buffer overflows and could possibly be
exploited to execute arbitray code.
Vendor Alerts:
Debian:
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-3144.html
+---------------------------------+
| Package: heimdal | ----------------------------//
+---------------------------------+
Description:
A cryptographic weakness in version 4 of the Kerberos protocol allows an
attacker to use a chosen-plaintext attack to impersonate any principal in
a realm. Additional cryptographic weaknesses in the krb4 implementation
permit the use of cut-and-paste attacks to fabricate krb4 tickets for
unauthorized client principals if triple-DES keys are used to key krb4
services. These attacks can subvert a site's entire Kerberos
authentication infrastructure.
Vendor Alerts:
Debian:
Debian Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-3153.html
+---------------------------------+
| Package: seti | ----------------------------//
+---------------------------------+
Description:
"There is a buffer overflow in the server responds handler. Sending an
overly large string followed by a newline ('\n') character to the client
will trigger this overflow. This has been tested with various versions of
the client. All versions are presumed to have this flaw in some form."
Vendor Alerts:
Gentoo:
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/gentoo_advisory-3147.html
FreeBSD:
FreeBSD Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-3133.html
+---------------------------------+
| Package: kde | ----------------------------//
+---------------------------------+
Description:
An attacker can prepare a malicious PostScript or PDF file which will
provide the attacker with access to the victim's account and privileges
when the victim opens this malicious file for viewing or when the victim
browses a directory containing such malicious file and has file previews
enabled.
Vendor Alerts:
Gentoo:
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/gentoo_advisory-3154.html
+---------------------------------+
| Package: apache | ----------------------------//
+---------------------------------+
Description:
"Remote exploitation of a memory leak in the Apache HTTP Server causes the
daemon to over utilize system resources on an affected system. The problem
is HTTP Server's handling of large chunks of consecutive linefeed
characters. The web server allocates an eighty-byte buffer for each
linefeed character without specifying an upper limit for allocation.
Consequently, an attacker can remotely exhaust system resources by
generating many requests containing these characters."
Vendor Alerts:
Gentoo:
Gentoo Vendor Advisory:
http://www.linuxsecurity.com/advisories/gentoo_advisory-3145.html
+---------------------------------+
| Package: cvs | ----------------------------//
+---------------------------------+
Description:
Stefan Esser discovered a double free() bug in CVS that can be remotely
exploited by anonymous users to gain write access to the CVS repository.
This write access can be converted into execute access using the CVS
protocol commands "Checkin-prog" and "Update-prog".
Vendor Alerts:
Immunix:
Immunix Vendor Advisory:
http://www.linuxsecurity.com/advisories/immunix_advisory-3130.html
+---------------------------------+
| Package: kerberos | ----------------------------//
+---------------------------------+
Description:
Multiple vulnerabilities have been found in the MIT Kerberos suite. This
release removes triple-DES support in Kerberos IV and cross-realm
authentication in Kerberos IV, as both are known to be insecure. This
release also fixes two denial of service attacks against the Kerberos
daemons.
Vendor Alerts:
Immunix:
Immunix Vendor Advisory:
http://www.linuxsecurity.com/advisories/immunix_advisory-3134.html
+---------------------------------+
| Package: mysql | ----------------------------//
+---------------------------------+
Description:
Multiple vulnerabilities including signed integer vulnerability have been
resolved.
Vendor Alerts:
Immunix:
Immunix Vendor Advisory:
http://www.linuxsecurity.com/advisories/immunix_advisory-3151.html
+---------------------------------+
| Package: httpd | ----------------------------//
+---------------------------------+
Description:
Updated httpd packages which fix a number of security issues are now
available for Red Hat Linux 8.0 and 9.
Vendor Alerts:
Red Hat:
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-3152.html
+---------------------------------+
| Package: openssl | ----------------------------//
+---------------------------------+
Description:
Researchers from the University of Stanford have discovered certain
weaknesses in OpenSSL's RSA decryption algorithm. It allows remote
attackers to compute the private RSA key of a server by observing its
timing behavior. This bug has been fixed by enabling "RSA blinding", by
default.
Vendor Alerts:
Red Hat:
Red Hat Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-3112.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
