+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | July 18th, 2003 Volume 4, Number 28a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx This week, advisories were released for pam, gnupg, mpg123, ucd-snmp, phpgroupware, traceroute-nanog, nfs-utils, falconseye, php4, unzip, radius, gtksee, kernel, mozilla, xpdf, apache, and ypserv. The distributors include Conectiva, Debian, Gentoo, Immunix, Mandrake, Red Hat, Slackware, SuSE, Trustix, and Turbo Linux. One of the most reoccurring annoyances that I have had about vendor vulnerability announcements is the lack of standardization. Week after week software vendors continue to release advisories that outline various vulnerabilities and announce major updates. What is wrong with these? Why am I concerned about standards? As a seasoned Linux user, I have become accustom to the various formatting techniques of each vendor. Other less experienced users may have trouble determining exactly what to update from poorly organized advisories. One of the most consistently good distributions is Red Hat. Each week, advisories are released with an informative but concise history of each vulnerability, links to all updated packages, information on how to update, and MD5 checksums for each updated file. Another consistent distribution is Debian. The presentation is similar to Red Hat, however they choose to include the MD5 checksum below each URL. This simple difference can save an administrator time when verifying each file. Rather than having to look the hash up in a table, it is easier to find and identify. Other distributions such as Immunix and Gentoo provide very little information in each advisory. Only a very short description and links to updated packages, or instructions how to update the software is given. Personally, I prefer the Red Hat/Debian style because I am concerned about having an informed idea of what I am applying. Others may prefer shorter advisories because time is not wasted sifting through mounds of information. Is there a solution? The closest to a standardization that I have found is the VulnXML project. What is it? It is an open XML DTD to regulate the creation of XML-type security advisories. Rather than plaintext, vendors will be encouraged to release advisories as an XML document resulting in more consistency. With this, users will ultimately have an easier understanding of the advisories released. Web sites will then have the ability to format advisories for better readability and indexing. I commend the VulnXML development team for establishing this project. I am anxious to see how it progresses. Probably the most difficult aspect will be getting vendors to participate. Initially, I see this getting started by recruiting volunteers to 'translate' new advisories. As community support and demand grows for VulnXML advisories, vendors will conform. If you are interested in learning more about VulnXML, I recommend that you visit: http://www.owasp.org/vulnxml/ Until next time, Benjamin D. Thomas ben@xxxxxxxxxxxxxxxxx INTRODUCING: Secure Mail Suite from Guardian Digital Unparalleled E-Mail Security. Secure Mail Suite is the most Dynamic, Rigorous Protection for Your Email System on the market today. It Clobbers Spam. Detects and Disables Viruses. And its Killer Firewall Keeps Your Data -- and Your System and Safe and Secure. All in an Easy-to-Manage Application that's Simple to Administer and Maintain. Secure Mail Suite is Guardian Digital's Optimum Solution to Mail Security. It's based on Open-Source Engineering, so it's constantly Improving. And with Guardian Digital Engarde Support, Secure Mail Suite Stays On Guard for You -- for Many Reliable Years. Secure Mail Suite. Sweet! From the First Name in Open-Source Security. Guardian Digital. --> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews3 REVIEW: Linux Security Cookbook There are rarely straightforward solutions to real world issues, especially in the field of security. The Linux Security Cookbook is an essential tool to help solve those real world problems. http://www.linuxsecurity.com/feature_stories/feature_story-145.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf -------------------------------------------------------------------- >> FREE Apache SSL Guide from Thawte << Are you worried about your web server security? Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your Apache SSL security needs. Click Command: http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte25 +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 7/11/2003 - pam Local vulnerability Andreas Beck discovered[1] a vulnerability in the use of pam_xauth by the su utility. If the attacker can make one user run su from an X session, he can steal the X credentials and execute programs in the X display of the user running su. The worst scenario is the one where an administrator, logged as root, uses "su" to an account belonging to an attacker. http://www.linuxsecurity.com/advisories/connectiva_advisory-3453.html 7/11/2003 - gnupg Key validity vulnerability During the development of GnuPG 1.2.2, a bug has been found in the key validation code http://www.linuxsecurity.com/advisories/connectiva_advisory-3454.html 7/15/2003 - mpg123 buffer overflow vulnerability A vulnerability[1] in the way mpg123 handles mp3 files with a bitrate of zero may allow attackers to execute arbitrary code using a specially crafted mp3 file. http://www.linuxsecurity.com/advisories/connectiva_advisory-3458.html 7/15/2003 - ucd-snmp heap overflow vulnerability buffer overflow vulnerability There is a remote heap overflow vulnerability in snmpnetstat (a tool used to retrieve information about a remote host). http://www.linuxsecurity.com/advisories/connectiva_advisory-3459.html 7/16/2003 - ucd-snmp remote heap overflow vulnerability buffer overflow vulnerability There is a remote heap overflow vulnerability in snmpnetstat . http://www.linuxsecurity.com/advisories/connectiva_advisory-3464.html 7/16/2003 - phpgroupware mulitple XSS vulnerabilities There are several "cross-site-scripting" vulnerabilities in versions of phpgroupware <= 0.9.14.003. http://www.linuxsecurity.com/advisories/connectiva_advisory-3465.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 7/14/2003 - traceroute-nanog buffer overflow vulnerability mulitple XSS vulnerabilities traceroute-nanog, an enhanced version of the common traceroute program, contains an integer overflow bug which could be exploited to execute arbitrary code. traceroute-nanog is setuid root, but drops root privileges immediately after obtaining raw ICMP and raw IP sockets. http://www.linuxsecurity.com/advisories/debian_advisory-3455.html 7/14/2003 - nfs-utils buffer overflow vulnerability mulitple XSS vulnerabilities The logging code in nfs-utils contains an off-by-one buffer overrun when adding a newline to the string being logged. This vulnerability may allow an attacker to execute arbitrary code or cause a denial of service condition by sending certain RPC requests. http://www.linuxsecurity.com/advisories/debian_advisory-3456.html 7/15/2003 - falconseye buffer overflow vulnerability The falconseye package is vulnerable to a buffer overflow exploited via a long '-s' command line option. http://www.linuxsecurity.com/advisories/debian_advisory-3460.html 7/17/2003 - php4 XSS vulnerability http://www.linuxsecurity.com/advisories/debian_advisory-3468.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 7/11/2003 - unzip Directory traversal vulnerability By inserting invalid characters between ".." attackers can overwrite arbitrary files. http://www.linuxsecurity.com/advisories/gentoo_advisory-3448.html 7/11/2003 - cistronradius Buffer overflow vulnerability Allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large value in an NAS-Port attribute, which is interpreted as a negative number and causes a buffer overflow. http://www.linuxsecurity.com/advisories/gentoo_advisory-3449.html 7/11/2003 - ypserv Remote denial of service Allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block. http://www.linuxsecurity.com/advisories/gentoo_advisory-3450.html 7/11/2003 - gtksee Buffer overflow vulnerability Attackers can use carefully crafted png pictures to execute arbitrary commands using a buffer overflow in when viewed in gtksee. http://www.linuxsecurity.com/advisories/gentoo_advisory-3451.html +---------------------------------+ | Distribution: Immunix | ----------------------------// +---------------------------------+ 7/16/2003 - nfs-utils off-by-one overflow vulnerability Buffer overflow vulnerability http://www.linuxsecurity.com/advisories/immunix_advisory-3466.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 7/17/2003 - kernel mulitple vulnerabilities Multiple vulnerabilities were discovered and fixed in the Linux kernel. http://www.linuxsecurity.com/advisories/mandrake_advisory-3469.html +---------------------------------+ | Distribution: RedHat | ----------------------------// +---------------------------------+ 7/14/2003 - nfs-utils denial of service vulnerability mulitple vulnerabilities Multiple vulnerabilities were discovered and fixed in the Linux kernel. http://www.linuxsecurity.com/advisories/redhat_advisory-3457.html 7/15/2003 - mozilla heap overflow vulnerability A heap-based buffer overflow in Netscape and Mozilla allows remote attackers to execute arbitrary code via a jar: URL referencing a malformed .jar file, which overflows a buffer during decompression. http://www.linuxsecurity.com/advisories/redhat_advisory-3461.html 7/17/2003 - xpdf arbitrary code execution vulnerability Updated Xpdf packages are available that fix a vulnerability where a malicious PDF document could run arbitrary code. http://www.linuxsecurity.com/advisories/redhat_advisory-3470.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 7/15/2003 - nfs-utils denial of service vulnerability arbitrary code execution vulnerability This fixes an off-by-one buffer overflow in xlog.c which could be used by an attacker to produce a denial of NFS service, or to execute arbitrary code. http://www.linuxsecurity.com/advisories/slackware_advisory-3462.html 7/16/2003 - nfs-utils off-by-one overflow vulnerability arbitrary code execution vulnerability There is an off-by-one overflow in xlog() in the nfs-utils package. http://www.linuxsecurity.com/advisories/slackware_advisory-3467.html +---------------------------------+ | Distribution: SuSe | ----------------------------// +---------------------------------+ 7/15/2003 - nfs-utils denial of service vulnerability arbitrary code execution vulnerability There is an off-by-one bug in the xlog() function used by the rpc.mountd. It is possible for remote attackers to use this off-by-one overflow to execute arbitrary code as root. http://www.linuxsecurity.com/advisories/suse_advisory-3463.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 7/11/2003 - apache Multiple vulnerabilities Multiple vulnerabilities including a possible buffer overflow have been fixed. http://www.linuxsecurity.com/advisories/trustix_advisory-3452.html +---------------------------------+ | Distribution: TurboLinux | ----------------------------// +---------------------------------+ 7/17/2003 - ypserv denial of service vulnerability The vulnerability allow an attacker can cause to denial of service of the ypserv. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3471.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------