+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| June 11th, 2004 Volume 5, Number 24a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes point
This week, advisories were released for gatos, jftpgw, ethereal, gallery,
rsync, log2mail, kernel, lha, postgresql, cvs, cups, squirrelmail, squid,
tla, Ethereal, tripwire, sitecopy, mailman, apache, mdkonline, xpcd,
mod_ssl, ksymoops, and kerberos5. The distributors include Debain, Fedora,
FreeBSD, Gentoo, Mandrake, NetBSD, OpenBSD, Red Hat, Slackware, SuSE,
Trustix, and Turbo Linux.
-----
>> Internet Productivity Suite: Open Source Security <<
Trust Internet Productivity Suite's open source architecture to give you
the best security and productivity applications available. Collaborating
with thousands of developers, Guardian Digital security engineers
implement the most technologically advanced ideas and methods into their
design.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn10
-----
Unnecessary Software
Each week system administrators are inundated by hundreds of vendor
advisories for every type of software imaginable. From time to time the
patches are critical from a security perspective, but on other occasions
they are merely a fix to a known bug. It is advisable to update all
software on a consistent basis so that a bug in software does not result
in a system vulnerability.
Unfortunately because of the great number of advisories each week, it
could be a full time job applying them. Applying 10 patches to 30 servers
could possibly take days if an automated process isn't used. Everyone
would agree, this is poor utilization of resources.
There are several solutions to the problem. First, it is often a good
idea to choose a specialized distribution, or spend time configuring a
broad one. For example, those building a Web server should choose a
distribution such as EnGarde Linux that has already been optimized and
secured to perform these services. If an administrator wishes to use a
distribution such as Debian, it is important that the necessary time is
take to remove everything not in use. For example, there is no need for a
Web server to have a compiler, X-windows, or games. This option requires
system expertise, but is feasible.
No matter what system is installed, it will almost always be the case that
at least some unnecessary software is installed on it. On an RPM based
system, it can be removed with the following command: /bin/rpm -e
<packagename> Removing unnecessary software can potentially reduce
administration work load. There will no longer be a need to keep that
software up-to-date, and it no longer has the potential to turn into a
vulnerability.
It should be a priority to remove unnecessary setuid/setgid binaries.
Vulnerabilities in these can often lead to root compromise, so they should
only be used when necessary. To find setuid/setgid binaries on a system,
simply use the following command: find / -type f -perm +6000 Remove each
that is not in use and it can greatly reduce the risk of compromise.
Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx
----
Interview with Brian Wotring, Lead Developer for the Osiris Project
Brian Wotring is currently the lead developer for the Osiris project and
president of Host Integrity, Inc.He is also the founder of knowngoods.org,
an online database of known good file signatures. Brian is the co-author
of Mac OS X Security and a long-standing member of the Shmoo Group, an
organization of security and cryptography professionals.
http://www.linuxsecurity.com/feature_stories/feature_story-164.html
--------------------------------------------------------------------
Guardian Digital Launches Next Generation Secure Mail Suite
Guardian Digital, the premier open source security company, announced the
availability of the next generation Secure Mail Suite, the industry's most
secure open source corporate email system. This latest edition has been
optimized to support the changing needs of enterprise and small business
customers while continually providing protection from the latest in email
security threats.
http://www.linuxsecurity.com/feature_stories/feature_story-166.html
--------------------------------------------------------------------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
6/8/2004 - gatos
Privilege escalation vulnerability
If initialization fails due to a missing configuration file, root
privileges are not dropped, and xatitv executes the system(3)
function without sanitizing user-supplied environment variables.
http://www.linuxsecurity.com/advisories/debian_advisory-4434.html
6/8/2004 - jftpgw
Format string vulnerability
A remote user could potentially cause arbitrary code to be
executed with the privileges of the jftpgw server process.
http://www.linuxsecurity.com/advisories/debian_advisory-4435.html
6/8/2004 - ethereal
Buffer overflow vulnerabilities
Several buffer overflow vulnerabilities were discovered in
ethereal.
http://www.linuxsecurity.com/advisories/debian_advisory-4436.html
6/8/2004 - gallery
Unauthenticated access
A remote attacker could gain access to the gallery "admin" user
without proper authentication.
http://www.linuxsecurity.com/advisories/debian_advisory-4437.html
6/8/2004 - rsync
Directory traversal vulnerability
A remote user could cause an rsync daemon to write files outside
of the intended directory tree, if the daemon is not configured
with the 'chroot' option.
http://www.linuxsecurity.com/advisories/debian_advisory-4438.html
6/8/2004 - log2mail
Format string vulnerability
Exploit could cause arbitrary code to be executed with the
privileges of the log2mail process.
http://www.linuxsecurity.com/advisories/debian_advisory-4439.html
6/8/2004 - kernel
2.2.20 Privilege escalation vulnerability
Due to flushing the TLB too early it is possible for an attacker
to trigger a local root exploit. This fix is to the sparc-built
kernel and the kernel source.
http://www.linuxsecurity.com/advisories/debian_advisory-4440.html
6/8/2004 - lha
Multiple vulnerabilities
Fixes multiple buffer overflows and multiple directory traversal
vulnerabilities.
http://www.linuxsecurity.com/advisories/debian_advisory-4441.html
6/8/2004 - postgresql
Denial of service vulnerability
It possible to exploit this problem and crash the surrounding
application.
http://www.linuxsecurity.com/advisories/debian_advisory-4442.html
6/10/2004 - cvs
Buffer overflow vulnerability
Derek Robert Price discovered a potential buffer overflow
vulnerability in the CVS server.
http://www.linuxsecurity.com/advisories/debian_advisory-4462.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
6/8/2004 - cups
Non-encryption vulnerability
Among other bugs, this fixes a failure to use encryption when
required.
http://www.linuxsecurity.com/advisories/fedora_advisory-4429.html
6/8/2004 - ethereal
Multiple vulnerabilies
This patch fixes three DoS vulns and a buffer overflow.
http://www.linuxsecurity.com/advisories/fedora_advisory-4430.html
6/8/2004 - net-tools Excessive privilege vulnerability
Multiple vulnerabilies
netlink_listen & netlink_receive_dump should both check the source
of the packets by looking at nl_pid and ensuring that it is 0
before performing any reconfiguration of network interfaces.
http://www.linuxsecurity.com/advisories/fedora_advisory-4431.html
6/8/2004 - krb5
Multiple buffer overflows
Exploitation could lead to denial of service or arbitrary code
execution.
http://www.linuxsecurity.com/advisories/fedora_advisory-4433.html
6/10/2004 - squirrelmail
Multiple vulnerabilities
Patch fixes a SQL injection and cross-site scripting flaw.
http://www.linuxsecurity.com/advisories/fedora_advisory-4460.html
6/10/2004 - squid
Buffer overflow vulnerability
A remotely-exploitable buffer overflow allows the execution of
arbitrary code.
http://www.linuxsecurity.com/advisories/fedora_advisory-4461.html
+---------------------------------+
| Distribution: FreeBSD | ----------------------------//
+---------------------------------+
6/8/2004 - kernel
Excessive privilege vulnerability
Jailed processes can manipulate host routing tables.
http://www.linuxsecurity.com/advisories/freebsd_advisory-4428.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
6/8/2004 - tla
Heap overflow vulnerability
This vulnerability could allow execution of arbitrary code with
the rights of the user running tla. Note: Important errata
included at bottom.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4423.html
6/8/2004 - MPlayer, xine-lib Multiple vulnerabilities
Heap overflow vulnerability
A remote attacker, posing as a RTSP stream server, can execute
arbitrary code with the rights of the user of the software playing
the stream.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4424.html
6/8/2004 - Ethereal
Multiple vulnerabilities
Exploitation may allow an attacker to run arbitrary code or crash
the program.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4425.html
6/8/2004 - tripwire
Format string vulnerability
Attacker could cause execution of arbitrary code with permissions
of the user running tripwire, which could be the root user.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4426.html
6/8/2004 - sitecopy
Multiple vulnerabilities
When connected to a malicious WebDAV server, these vulnerabilities
could allow execution of arbitrary code with the rights of the
user running sitecopy.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4427.html
6/10/2004 - Mailman
Password leak
Mailman contains a bug allowing 3rd parties to retrieve member
passwords.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4457.html
6/10/2004 - apache
Buffer overflow vulnerability
A bug in mod_ssl may allow a remote attacker to execute remote
code when Apache is configured a certain way.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4458.html
6/10/2004 - cvs
Multiple vulnerabilities
Several serious new vulnerabilities have been found in CVS, which
may allow an attacker to remotely compromise a CVS server.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4459.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
6/8/2004 - mdkonline
Squid incompatability
Though not a security problem per se, this is important to any who
use Mandrake Online to patch their systems.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4417.html
6/8/2004 - xpcd
Buffer overflow vulnerability
Problem could be exploited by a local attacker to obtain root
privileges.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4418.html
6/8/2004 - mod_ssl
Buffer overflow vulnerability
A remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4419.html
6/8/2004 - apache2
Buffer overflow vulnerability
When mod_ssl is configured to trust the issuing CA, a remote
attacker may be able to execute arbitrary code via a client
certificate with a long subject DN.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4420.html
6/8/2004 - krb5
Buffer overflow vulnerabilities
This could lead to root privileges, though it requires successfull
authentication plus a non-default configuration to exploit.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4421.html
6/8/2004 - tripwire
Format string vulnerability
Exploit could allow a local user to execute arbitrary code with
the rights of the user running tripwire (typically root).
http://www.linuxsecurity.com/advisories/mandrake_advisory-4422.html
6/10/2004 - krb5
Patch fix
The original patch provided contained a bug where rule-based
entries on systems without HAVE_REGCOMP would not work.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4452.html
6/10/2004 - mdkonline
Patch fix
The previous update did not parse noarch packages, and new archs
have been added (ia64, amd64, x86_64, ppc64) as well. As well,
the mdkapplet now forces a restart when changes to itself have
occurred.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4453.html
6/10/2004 - cvs
Multiple vulnerabilities
This patch addresses four seperate security issues with cvs.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4454.html
6/10/2004 - squid
Buffer overflow vulnerability
This buffer overflow can be exploited by a remote attacker by
sending an overly long password, and grants the ability to execute
arbitrary code.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4455.html
6/10/2004 - ksymoops
Insecure temporary file vulnerability
The script fails to do proper checking when copying a file to the
/tmp directory.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4456.html
+---------------------------------+
| Distribution: NetBSD | ----------------------------//
+---------------------------------+
6/8/2004 - cvs
Heap overflow vulnerabilities
CVS had heap overflow vulnerabilities which can be trigged
remotely by malicious people on the net.
http://www.linuxsecurity.com/advisories/netbsd_advisory-4416.html
+---------------------------------+
| Distribution: OpenBSD | ----------------------------//
+---------------------------------+
6/10/2004 - cvs
Multiple vulnerabilities
While no exploits are known to exist for these bugs under OpenBSD
at this time, some of the bugs have proven exploitable on other
operating systems.
http://www.linuxsecurity.com/advisories/openbsd_advisory-4451.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
6/8/2004 - cvs
Denial of service vulnerabilities
Updated cvs packages that fix remote denial of service
vulnerabilities are now available. (This is a legacy Red Hat fix,
released by the Fedora Project).
http://www.linuxsecurity.com/advisories/redhat_advisory-4432.html
6/9/2004 - Ethereal
Multiple vulnerabilities
Patch fixes a buffer overflow plus several denail of service
vulnerabilities
http://www.linuxsecurity.com/advisories/redhat_advisory-4443.html
6/9/2004 - krb5
Buffer overflow vulnerabilities
Updated Kerberos 5 (krb5) packages which correct buffer overflows
in the krb5_aname_to_localname function are now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-4444.html
6/9/2004 - squid
Buffer overflow vulnerability
If Squid is configured to use the NTLM authentication helper, a
remote attacker could potentially execute arbitrary code by
sending a lengthy password.
http://www.linuxsecurity.com/advisories/redhat_advisory-4445.html
6/9/2004 - cvs
Multiple vulnerabilities
This patch resolves many outstanding vulnerabilities of cvs.
http://www.linuxsecurity.com/advisories/redhat_advisory-4446.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
6/8/2004 - mod_ssl
Buffer overflow vulnerability
May allow remote attackers to execute arbitrary code via a client
certificate with a long subject DN, if mod_ssl is configured to
trust the issuing CA.
http://www.linuxsecurity.com/advisories/slackware_advisory-4414.html
6/8/2004 - php
Insecure path vulnerability
Exploitation of this issue requires a static library at an
insecure path, and could allow denial of service or arbitrary code
execution.
http://www.linuxsecurity.com/advisories/slackware_advisory-4415.html
6/10/2004 - cvs
Multiple vulnerabilities
Resolves many vulnerabilities, including a buffer overflow.
http://www.linuxsecurity.com/advisories/slackware_advisory-4450.html
+---------------------------------+
| Distribution: Suse | ----------------------------//
+---------------------------------+
6/10/2004 - cvs
Multiple vulnerabilities
These bugs allow remote attackers to execute arbitrary code as the
user the CVS server runs as.
http://www.linuxsecurity.com/advisories/suse_advisory-4448.html
6/10/2004 - squid
Buffer overflow vulnerability
Squid is vulnerable to a buffer overflow that can be exploited
remotely by using a long password to execute arbitrary code.
http://www.linuxsecurity.com/advisories/suse_advisory-4449.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
6/8/2004 - apache
Buffer overflow vulnerability
Stack-based buffer overflow may allow remote attackers to execute
arbitrary code via a client certificate with a long subject DN.
http://www.linuxsecurity.com/advisories/trustix_advisory-4412.html
6/8/2004 - kerberos5
Buffer overflow vulnerabilities
Exploitation of these flaws requires an unusual combination of
factors, including successful authentication to a vulnerable
service and a non-default configuration on the target service.
http://www.linuxsecurity.com/advisories/trustix_advisory-4413.html
6/10/2004 - squid
Buffer overflow vulnerability
Remote exploitation of a buffer overflow vulnerability in Squid
Web Proxy Cache could allow a remote attacker to execute arbitrary
code.
http://www.linuxsecurity.com/advisories/trustix_advisory-4447.html
+---------------------------------+
| Distribution: Turbolinux | ----------------------------//
+---------------------------------+
6/8/2004 - Multiple
Pkgs Multiple vulnerabilities
cvs (2 issues), tcpdump (2 issues), apache (multiple issues) have
been resolved.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-4411.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
