+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | September 19, 2003 Volume 4, Number 37a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisoiry Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. Folks, there are a lot of advisories this week. Be sure to check your distribution carefully, as many of them are significant. This week, advisories were released for mana, pine, gtkhtml, openssh, sendmail, MySQL, xfree86, buffer, kernel, and KDE. The distributors include SCO, Conectiva, Debian, EnGarde, FreeBSD, Gentoo, Immunix, NetBSD, Red Hat, Slackware, SuSE, Trustix, TurboLinux, and Yellow Dog. >> FREE Apache SSL Guide from Thawte << Are you worried about your web server security? Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your Apache SSL security needs. Click Command: http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache ---- FEATURE: A Practical Approach of Stealthy Remote Administration This paper is written for those paranoid administrators who are looking for a stealthy technique of managing sensitive servers (like your enterprise firewall console or IDS). http://www.linuxsecurity.com/feature_stories/feature_story-149.html -------------------------------------------------------------------- CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 -------------------------------------------------------------------- Expert vs. Expertise: Computer Forensics and the Alternative OS No longer a dark and mysterious process, computer forensics have been significantly on the scene for more than five years now. Despite this, they have only recently gained the notoriety they deserve. http://www.linuxsecurity.com/feature_stories/feature_story-147.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: SCO | ----------------------------// +---------------------------------+ 9/15/2003 - mana local vulnerability There are multiple local environment variable vulnerabilities in mana. http://www.linuxsecurity.com/advisories/caldera_advisory-3622.html +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 9/12/2003 - pine Multiple remote vulnerabilities A buffer overflow and an integer overflow that can be exploited by remote attackers through the sending of specially crafted messages have been fixed. http://www.linuxsecurity.com/advisories/connectiva_advisory-3616.html 9/12/2003 - gtkhtml Buffer overflow vulnerability Multiple buffer overflow vulnerabilities existed that could be exploited to at least crash programs linked to gtkhtml by using malformed HTML. In the case of Evolution, a remote attacker can use an HTML mail as an attack vector. http://www.linuxsecurity.com/advisories/connectiva_advisory-3617.html 9/16/2003 - openssh buffer management error This update fixes a potential remote vulnerability in the buffer handling code of OpenSSH. http://www.linuxsecurity.com/advisories/connectiva_advisory-3623.html 9/17/2003 - openssh Remote vulnerabilities This update fixes new vulnerabilities found in the code that handles buffers in OpenSSH. These vulnerabilities are similiar to the ones fixed in the CLSA-2003:739 announcement and can be exploited by a remote attacker to cause a denial of service condition and potentially execute arbitrary code http://www.linuxsecurity.com/advisories/connectiva_advisory-3648.html 9/18/2003 - sendmail buffer overflow vulnerabilities Michal Zalewski reported a remote vulnerability in sendmail versions 8.12.9 and earlier. http://www.linuxsecurity.com/advisories/connectiva_advisory-3656.html 9/18/2003 - MySQL Multiple vulnerabilities World writable configuration files, a double-free vulnerability, and a password handler buffer overflow have been fixed in this update. http://www.linuxsecurity.com/advisories/connectiva_advisory-3658.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 9/12/2003 - xfree86 Multiple vulnerabilities Four vulnerabilities have been identified and fixed in XFree86 including potential denial of service vulnerability. http://www.linuxsecurity.com/advisories/debian_advisory-3618.html 9/15/2003 - mysql buffer overflow vulnerability MySQL contains a buffer overflow condition which could be exploited by a user who has permission to execute "ALTER TABLE" commands on the tables in the "mysql" database. http://www.linuxsecurity.com/advisories/debian_advisory-3619.html 9/16/2003 - ssh buffer management error A bug has been found in OpenSSH's buffer handling where a buffer could be marked as grown when the actual reallocation failed. http://www.linuxsecurity.com/advisories/debian_advisory-3624.html 9/17/2003 - openssh multiple vulnerabilities This advisory is an addition to the earlier DSA-382-1 advisory: two more buffer handling problems have been found in addition to the one described in DSA-382-1 http://www.linuxsecurity.com/advisories/debian_advisory-3633.html 9/17/2003 - openssh-krb5 buffer handling vulnerability multiple vulnerabilities Several bugs have been found in OpenSSH's buffer handling. It is not known if these bugs are exploitable, but as a precaution an upgrade is advised. http://www.linuxsecurity.com/advisories/debian_advisory-3634.html 9/18/2003 - sendmail buffer overlow vulnerabilities There are multiple buffer overflow vulnerabilities in the sendmail package. http://www.linuxsecurity.com/advisories/debian_advisory-3651.html +---------------------------------+ | Distribution: EnGarde | ----------------------------// +---------------------------------+ 9/16/2003 - OpenSSH buffer management error The OpenSSH daemon shipped with all versions of EnGarde Secure Linux contains a potentially exploitable buffer management error. http://www.linuxsecurity.com/advisories/engarde_advisory-3621.html 9/18/2003 - Additional 'OpenSSH' buffer management bugs After the release of ESA-20030916-023, the OpenSSH team discovered more buffer management bugs (fixed in OpenSSH 3.7.1) of the same type. Additionally, Solar Designer fixed additional bugs of this class. His fixes are included in this update. http://www.linuxsecurity.com/advisories/engarde_advisory-3649.html 9/18/2003 - 'MySQL' buffer overflow 'OpenSSH' buffer management bugs The MySQL daemon contains a buffer overflow which may be exploited by any user who has ALTER TABLE permissions on the "mysql" database. http://www.linuxsecurity.com/advisories/engarde_advisory-3650.html +---------------------------------+ | Distribution: FreeBSD | ----------------------------// +---------------------------------+ 9/16/2003 - buffer management error A bug has been found in OpenSSH's buffer handling where a buffer could be marked as grown when the actual reallocation failed. http://www.linuxsecurity.com/advisories/freebsd_advisory-3625.html 9/17/2003 - sendmail Multiple overflow vulnerabilities A buffer overflow that may occur during header parsing was identified. An attacker could create a specially crafted message that may cause sendmail to execute arbitrary code with the privileges of the user running sendmail, typically root. http://www.linuxsecurity.com/advisories/freebsd_advisory-3647.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 9/15/2003 - mysql buffer overflow vulnerability Anyone with global administrative privileges on a MySQL server may execute arbitrary code even on a host he isn't supposed to have a shell on, with the privileges of the system account running the MySQL server. http://www.linuxsecurity.com/advisories/gentoo_advisory-3620.html 9/16/2003 - exim buffer overflow vulnerability There's a heap overflow in all versions of exim3 and exim4 prior to version 4.21. It can be exercised by anyone who can make an SMTP connection to the exim daemon. http://www.linuxsecurity.com/advisories/gentoo_advisory-3626.html 9/16/2003 - openssh Buffer management error All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. http://www.linuxsecurity.com/advisories/gentoo_advisory-3629.html 9/17/2003 - sendmail Buffer overflow vulnerabilities Fix a buffer overflow in address parsing. Fix a potential buffer overflow in ruleset parsing. This problem is not exploitable in the default sendmail configuration. http://www.linuxsecurity.com/advisories/gentoo_advisory-3646.html +---------------------------------+ | Distribution: Immunix | ----------------------------// +---------------------------------+ 9/16/2003 - openssh buffer management error A bug has been found in OpenSSH's buffer handling where a buffer could be marked as grown when the actual reallocation failed. http://www.linuxsecurity.com/advisories/immunix_advisory-3627.html 9/17/2003 - openssh buffer management error This advisory has been updated to reflect that the OpenSSH team has found more instances of the programming idiom in question in their codebase. http://www.linuxsecurity.com/advisories/immunix_advisory-3635.html 9/18/2003 - sendmail buffer overflow vulnerabilities Michal Zalewski discovered flaws in sendmail's prescan() function. http://www.linuxsecurity.com/advisories/immunix_advisory-3652.html +---------------------------------+ | Distribution: NetBSD | ----------------------------// +---------------------------------+ 9/17/2003 - openssh buffer overflow vulnerability A buffer overwrite with unknown consequences has been found in OpenSSH. http://www.linuxsecurity.com/advisories/netbsd_advisory-3636.html 9/17/2003 - kernel memory disclosure vulnerability The iBCS2 system call translator for statfs erroneously used the user-supplied length parameter when copying a kernel data structure into userland. http://www.linuxsecurity.com/advisories/netbsd_advisory-3637.html 9/17/2003 - sysctl multiple vulnerabilities Three unrelated problems with inappropriate argument handling were found in the kernel sysctl code, which could be exploited by malicious local user. http://www.linuxsecurity.com/advisories/netbsd_advisory-3638.html +---------------------------------+ | Distribution: RedHat | ----------------------------// +---------------------------------+ 9/16/2003 - openssh buffer management error A bug has been found in OpenSSH's buffer handling where a buffer could be marked as grown when the actual reallocation failed. http://www.linuxsecurity.com/advisories/redhat_advisory-3628.html 9/16/2003 - KDE Multiple vulnerabilities Updated KDE packages that resolve a local security issue with KDM PAM support and weak session cookie generation are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-3631.html 9/17/2003 - OpenSSH Buffer manipulation vulnerabilities Updated packages are now available to fix additional buffer manipulation problems which were fixed in OpenSSH 3.7.1. http://www.linuxsecurity.com/advisories/redhat_advisory-3644.html 9/17/2003 - sendmail Multiple overflow vulnerabilities Updated Sendmail packages that fix a potentially-exploitable vulnerability are now available. The sucessful exploitation of this bug can lead to heap and stack structure overflows. http://www.linuxsecurity.com/advisories/redhat_advisory-3645.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 9/16/2003 - openssh Buffer management error These fix a buffer management error found in versions of OpenSSH earlier than 3.7. The possibility exists that this error could allow a remote exploit, so we recommend all sites running OpenSSH upgrade to the new OpenSSH package immediately. http://www.linuxsecurity.com/advisories/slackware_advisory-3630.html 9/17/2003 - openssh buffer management errors These packages fix additional buffer management errors that were not corrected in the recent 3.7p1 release. http://www.linuxsecurity.com/advisories/slackware_advisory-3639.html 9/17/2003 - sendmail multiple vulnerabilities There are multiple vulnerabilities in the sendmail package. http://www.linuxsecurity.com/advisories/slackware_advisory-3640.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 9/16/2003 - openssh Buffer management vulnerability A programming error has been found in code responsible for buffer management. If exploited by a (remote) attacker, the error may lead to unauthorized access to the system, allowing the execution of arbitrary commands. http://www.linuxsecurity.com/advisories/suse_advisory-3632.html 9/18/2003 - openssh management errors A programming error has been found in code responsible for buffer management. http://www.linuxsecurity.com/advisories/suse_advisory-3657.html +---------------------------------+ | Distribution: Trustix | ----------------------------// +---------------------------------+ 9/17/2003 - openssh buffer management error All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. http://www.linuxsecurity.com/advisories/trustix_advisory-3641.html 9/17/2003 - mysql buffer overflow vulnerability Fixed buffer overflow in SET PASSWORD which could potentially be exploited by MySQL users with root privileges to execute random code or to gain shell access. http://www.linuxsecurity.com/advisories/trustix_advisory-3642.html +---------------------------------+ | Distribution: TurboLinux | ----------------------------// +---------------------------------+ 9/17/2003 - openssh buffer management error This vulnerability may allow a remote attacker to execute arbitrary code. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3643.html 9/18/2003 - sendmail buffer overflow vulnerabilities The potential buffer overflows are in ruleset parsing and address parsing for sendmail. http://www.linuxsecurity.com/advisories/turbolinux_advisory-3653.html +---------------------------------+ | Distribution: YellowDog | ----------------------------// +---------------------------------+ 9/18/2003 - openssh buffer management errors Updated packages are now available to fix additional buffer manipulation problems which were fixed in OpenSSH 3.7.1. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3654.html 9/18/2003 - sendmail buffer overflow vulnerabilities Michal Zalewski found a bug in the prescan() function of unpatched Sendmail versions prior to 8.12.10. http://www.linuxsecurity.com/advisories/yellowdog_advisory-3655.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------