+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | November 14th, 2003 Volume 4, Number 45a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for thhtpd, cups, ethereal, mpg123, xinetd, hylafax, postgresql, conquest, epic4, glibc, and and zebra. The distributors include Conectiva, Debian, Mandrake, Red Hat, and SuSE. --- >> Get Thawte's NEW Step-by-Step SSL Guide for Apache << In this guide you will find out how to test, purchase, install and use a Thawte Digital Certificate on you Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Get you copy of this new guide now: Click Command: https://www.guardiandigital.com/cgi-bin/thawteguide.pl?guidetype=apache --- The recent news has been flooded with reports about a looming security FUD campaign against Linux. Although I have strong opinions on this matter, I've decided to keep quiet about it this week simply because additional hype will not help the situation. Readers of this newsletter are already aware of the merits of Linux and its potential for achieving an acceptable state of security. Rather than re-hash the same old rhetoric, I've decided to write about something a little bit more practical this week, tunneling through SSH. As you probably saw last week, the fifth vulnerability listed on the SANS Top 10 for Unix list is 'clear text services.' Sadly, these will remain a problem for years to come simply because many older applications are dependent on these. For example, a Web development team may use an HTML editor that has a built in FTP client. The moment that you suggest they stop using this editor, and start using SFTP or SCP, they'll laugh in your face. Unfortunately, there is always a balance between security and convenience, and convenience usually wins. In most cases, a compromise can be established by tunneling insecure plaintext services through SSH. Probably the biggest misconception is that tunneling is difficult. In fact, it is quite the opposite. A tunnel can be setup in less than a minute and put a stop to years of paranoia. A tunnel can be established as a simple command at the commandline. For example, to establish a tunnel: prompt$ ssh -L 2121:remotehost:21 bdthomas@remotehost -i keyfile.key To establish FTP connection: (at new terminal) prompt$ ftp -p localhost 2121 At both terminals, you will authenticate as normal. Looking at the example above, you'll see that the user is trying to make a secure FTP connection to 'remotehost.' To establish the tunnel, the SSH option '-L 2121:remotehost:21' was given. This simply means, listen on local port 2121 and forward to remote port 21. The options can be changed to fit any port requirement of any plaintext service. If you've never giving SSH tunneling a try, hopefully I've given you enough information to be interested. Sometimes it can be a lifesaver because of its simplicity. There is a large amount of information available on Google. Also, Brian Hatch has written several good pieces that are available on LinuxSecurity.com http://www.linuxsecurity.com/articles/documentation_article-6822.html Until next time, cheers! Benjamin D. Thomas ben@xxxxxxxxxxxxxxxxx --- OpenVPN: An Introduction and Interview with Founder, James Yonan In this article, Duane Dunston gives a brief introduction to OpenVPN and interviews its founder James Yonan. http://www.linuxsecurity.com/feature_stories/feature_story-152.html -------------------------------------------------------------------- CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 -------------------------------------------------------------------- FEATURE: R00ting The Hacker Dan Verton, the author of The Hacker Diaries: Confessions of Teenage Hackers is a former intelligence officer in the U.S. Marine Corps who currently writes for Computerworld and CNN.com, covering national cyber-security issues and critical infrastructure protection. http://www.linuxsecurity.com/feature_stories/feature_story-150.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 11/7/2003 - thhtpd Multiple vulnerabilities Multiple vulnerabilities including sensitive file disclosure, cross-site scription, and directory traversal vulnerabilities have been fixed. http://www.linuxsecurity.com/advisories/connectiva_advisory-3765.html 11/7/2003 - net-snmp Multiple vulnerabilities "net-snmp" version 5.0.9 was released to address a security vulnerability in previous 5.0.x versions where an existing user/community could get access to data in MIB objects that were explicitly excluded from their view. http://www.linuxsecurity.com/advisories/connectiva_advisory-3766.html 11/7/2003 - cups DoS Vulnerability It has been reported that the IPP daemon from the Cups package can under some circumstances enter a loop and consume excessive CPU resources, causing the service to become slow and unresponsive. http://www.linuxsecurity.com/advisories/connectiva_advisory-3767.html 11/7/2003 - ethereal Multiple vulnerabilities This update announcement addresses several vulnerabilities[2] in ethereal versions prior to 0.9.16. These vulnerabilities can be exploited by an attacker who can insert crafted packets in the wire being monitored by ethereal or make an user open a trace file with such packets inside. http://www.linuxsecurity.com/advisories/connectiva_advisory-3770.html 11/12/2003 - mpg123 Buffer overflow vulnerability When used to play mp3 audio streams over the network, audio servers can exploit this vulnerability by sending a carefully crafted response to the client which will overflow a buffer on the heap and execute arbitrary code. http://www.linuxsecurity.com/advisories/connectiva_advisory-3778.html 11/12/2003 - xinetd Multiple vulnerabilities A memory leak and several other problems have been fixed in the latest version of xinetd. http://www.linuxsecurity.com/advisories/connectiva_advisory-3779.html 11/12/2003 - hylafax Format string vulnerability This vulnerability can be exploited by a remote attacker to execute arbitrary code with the privileges of the root user in the host where hfaxd is running. http://www.linuxsecurity.com/advisories/connectiva_advisory-3780.html 11/13/2003 - postgresql Multiple buffer overflow vulnerabilities Multiple buffer overflow vulnerabilities in the to_ascii() function have been fixed. http://www.linuxsecurity.com/advisories/connectiva_advisory-3781.html +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ 11/7/2003 - postgresql Remote buffer overflow vulnerability Tom Lane discovered a buffer overflow in the to_ascii function in PostgreSQL. This allows remote attackers to execute arbitrary code on the host running the database. http://www.linuxsecurity.com/advisories/debian_advisory-3771.html 11/10/2003 - conquest Buffer overflow vulnerability Steve Kemp discovered a buffer overflow in the environment variable handling of conquest, a curses based, real-time, multi-player space warfare game, which could lead a local attacker to gain unauthorised access to the group conquest. http://www.linuxsecurity.com/advisories/debian_advisory-3772.html 11/10/2003 - epic4 Buffer overflow vulnerability A malicious server could craft a reply which triggers the client to allocate a negative amount of memory. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. http://www.linuxsecurity.com/advisories/debian_advisory-3773.html 11/11/2003 - omega-rpg buffer overflow vulnerability Buffer overflow vulnerability Steve Kemp discovered a buffer overflow in the commandline and environment variable handling of omega-rpg. http://www.linuxsecurity.com/advisories/debian_advisory-3776.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 11/11/2003 - hylafax buffer overflow vulnerability The SuSE Security Team discovered a format bug condition that allows remote attackers to execute arbitrary code as the root user. http://www.linuxsecurity.com/advisories/mandrake_advisory-3777.html 11/12/2003 - fileutils/coreutils Denial of service vulnerability buffer overflow vulnerability A memory starvation denial of service vulnerability in the ls program was discovered. http://www.linuxsecurity.com/advisories/mandrake_advisory-3783.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 11/10/2003 - ethereal Buffer overflow vulnerability Updated Ethereal packages that fix a number of exploitable security issues are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-3775.html 11/12/2003 - glibc Multiple vulnerabilities Updated glibc packages that resolve vulnerabilities and address several bugs are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-3784.html 11/12/2003 - PostgreSQL Buffer overflow vulnerability Updated PostgreSQL packages that correct a buffer overflow in the to_ascii routines are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-3785.html 11/12/2003 - zebra Multiple vulnerabilities Updated zebra packages that close a locally-exploitable and a remotely-exploitable denial of service vulnerability are now available. http://www.linuxsecurity.com/advisories/redhat_advisory-3786.html +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ 11/10/2003 - hylafax Remote code execution vulnerability The SuSE Security Team found a format bug condition during a code review of the hfaxd server. It allows remote attackers to execute arbitrary code as root. However, the bug can not be triggered in hylafax' default configuration. http://www.linuxsecurity.com/advisories/suse_advisory-3774.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------