+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| July 30, 2004 Volume 5, Number 30a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
This week, advisories were released for sendmail, tcpdump, kernel, samba,
mailreader, courier, abiword, subversion, php, sox, Pavuk, phpMyAdmin,
postgresql, XFree86, webmin, mod_ssl and wv. The distributors include SCO
Group, Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat, Slackware,
Suse and Trustix.
-----
>> Need to Secure Multiple Domain or Host Names? <<
Securing multiple domain or host names need not burden you with unwanted
administrative hassles. Learn more about how the cost-effective Thawte
Starter PKI program can streamline management of your digital
certificates. Click here to download our Free guide:
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=thawte07
-----
Using Sudo
sudo is a mechanism of providing root prileges to an ordinary user
If you absolutely positively need to allow someone (hopefully very
trusted) to have superuser access to your machine, there are a few tools
that can help. Sudo allows users to use their password to access a limited
set of commands as root. Sudo keeps a log of all successful and
unsuccessful sudo attempts, allowing you to track down who used what
command to do what. For this reason sudo works well even in places where a
number of people have root access, but use sudo so you can keep track of
changes made.
Although sudo can be used to give specific users specific privileges for
specific tasks, it does have several shortcomings. It should be used only
for a limited set of tasks, like restarting a server, or adding new users.
Any program that offers a shell escape will give the user root access.
This includes most editors, for example. Also, a program as innocuous as
/bin/cat can be used to overwrite files, which could allow root to be
exploited. Consider sudo as a means for accountability, and don't expect
it to replace the root user, yet be secure.
To do almost any administrative function in Linux one requires root
(privileged) access. Unfortunately the built in mechanisms that can be
used to grant this type of access are relatively weak. The primary tool is
"su" which lets you run a shell as another user, unfortunately you need
the other user's password, so everyone you want to grant root access will
have the password and unrestricted access. A slightly more fine grained
tool is the setuid or setgid bit, if this is set on a file, then the file
runs as the user or group that owns it (typically root). Managing file
permissions, and ensuring there are no bugs in the program that can be
used to gain full root access is difficult at best.
Security Tip Written by Dave Wreski (dave@xxxxxxxxxxxxxxxxxxx)
Additional tips are available at the following URL:
http://www.linuxsecurity.com/tips/
-----
Security Expert Dave Wreski Discusses Open Source Security
LinuxSecurity.com editors have a seat with Dave Wreski, CEO of Guardian
Digital, Inc. and respected author of various hardened security and Linux
publications, to talk about how Guardian Digital is changing the face of
IT security today. Guardian Digital is perhaps best known for their
hardened Linux solution EnGarde Secure Linux, touted as the premier
secure, open-source platform for its comprehensive array of general
purpose services, such as web, FTP, email, DNS, IDS, routing, VPN,
firewalling, and much more.
http://www.linuxsecurity.com/feature_stories/feature_story-170.html
---------------------------------------------------------------------
Catching up with Wietse Venema, creator of Postfix and TCP Wrapper
Duane Dunston speaks at length with Wietse Venema on his current research
projects at the Thomas J. Watson Research Center, including his forensics
efforts with The Coroner's Toolkit. Wietse Venema is best known for the
software TCP Wrapper, which is still widely used today and is included
with almost all unix systems. Wietse is also the author of the Postfix
mail system and the co-author of the very cool suite of utilities called
The Coroner's Toolkit or "TCT".
http://www.linuxsecurity.com/feature_stories/feature_story-169.html
------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: SCO Group | ----------------------------//
+---------------------------------+
7/29/2004 - sendmail
Multiple vulnerabilities
This patch addresses one Denial of Service vulnerability and one
other that can lead to the execution of arbitrary code.
http://www.linuxsecurity.com/advisories/caldera_advisory-4611.html
7/29/2004 - tcpdump
Multiple vulnerabilities
This patch addresses three seperate vulnerabilities of tcpdump.
http://www.linuxsecurity.com/advisories/caldera_advisory-4612.html
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
7/29/2004 - kernel
Multiple vulnerabilities
This patch fixes five seperate kernel vulnerabilities.
http://www.linuxsecurity.com/advisories/conectiva_advisory-4610.html
7/30/2004 - samba
Buffer overflow vulnerabilities
Exploitation of these vulnerabilites could lead to execution of
arbitrary code.
http://www.linuxsecurity.com/advisories/conectiva_advisory-4620.html
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
7/23/2004 - libapache-mod-ssl Multiple vulnerabilities
Buffer overflow vulnerabilities
This patch resolves a buffer overflow and a format string
vulnerability, either of which can lead to an arbitrary code
execution.
http://www.linuxsecurity.com/advisories/debian_advisory-4594.html
7/23/2004 - mailreader
Directory traversal vulnerability
A directory traversal vulnerability was discovered in mailreader
whereby remote attackers could view arbitrary files with the
privileges of the nph-mr.cgi process (by default, www-data)
http://www.linuxsecurity.com/advisories/debian_advisory-4595.html
7/23/2004 - courier
Cross Site Scripting vulnerability
An attacker could cause web script to be executed within the
security context of the sqwebmail application.
http://www.linuxsecurity.com/advisories/debian_advisory-4596.html
7/29/2004 - libapache-mod-ssl Multiple vulnerabilities
Cross Site Scripting vulnerability
This patch fixes a buffer overflow and a format string
vulnerability in libapache-mod-ssl, both of which allow execution
of arbitrary code.
http://www.linuxsecurity.com/advisories/debian_advisory-4609.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
7/23/2004 - abiword
Undefined security fix
2.0.5 + wv security backport
http://www.linuxsecurity.com/advisories/fedora_advisory-4591.html
7/23/2004 - subversion
Information leak vulnerability
Vulnerability allows reading of part of a repository when a user
can write to another.
http://www.linuxsecurity.com/advisories/fedora_advisory-4592.html
7/23/2004 - php
Multiple vulnerabilities
This patch resolves two different php vulnerabilities, one of
which allows arbitrary code execution on the local machine, the
other XSS (Cross Site Scripting).
http://www.linuxsecurity.com/advisories/fedora_advisory-4593.html
7/29/2004 - sox
Buffer overflow vulnerabilities
Exploiting this, an attacker could embed arbitrary code in a
calicious WAV file which would execute when it is played.
http://www.linuxsecurity.com/advisories/fedora_advisory-4608.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
7/29/2004 - Subversion
Permission escape vulnerability
Users with write access to parts of a Subversion repository may
bypass read restrictions in mod_authz_svn and read any part of the
repository they wish. An important addendum follows the advisory.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4606.html
7/29/2004 - Pavuk
Buffer overflow vulnerability
Pavuk contains a bug that can allow an attacker to run arbitrary
code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4607.html
7/30/2004 - samba
Buffer overflow vulnerabilities
Two buffer overflows vulnerabilities were found in Samba,
potentially allowing the remote execution of arbitrary code.
(Note: this announcement takes the ERRATA released by Gentoo into
account).
http://www.linuxsecurity.com/advisories/gentoo_advisory-4617.html
7/30/2004 - phpMyAdmin
Multiple vulnerabilities
Multiple vulnerabilities in phpMyAdmin may allow a remote attacker
with a valid user account to alter configuration variables and
execute arbitrary PHP code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4618.html
7/30/2004 - SoX
Buffer overflow vulnerabilities
By enticing a user to play or convert a specially crafted WAV file
an attacker could execute arbitrary code with the permissions of
the user running SoX.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4619.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
7/23/2004 - samba
Buffer overflow vulnerabilities
This patch fixes two seperate exploitable buffer overruns in
samba.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4590.html
7/29/2004 - postgresql
Buffer overflow vulnerability
A buffer overflow has been discovered in the ODBC driver of
PostgreSQL.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4601.html
7/29/2004 - XFree86
Improper open port vulnerability
XDM in XFree86 opens a chooserFd TCP socket even when
DisplayManager.requestPort is 0, which could allow remote
attackers to connect to the port, in violation of the intended
restrictions.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4602.html
7/29/2004 - webmin
Multiple vulnerabilities
This patch addresses an information leak and a method that allows
brute force user/password attacks.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4603.html
7/29/2004 - mod_ssl
Insecure log access
Ralf S. Engelschall found a remaining risky call to ssl_log while
reviewing code for another issue reported by Virulent.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4604.html
7/29/2004 - sox
Buffer overflow vulnerabilities
Ulf Harnhammar discovered two buffer overflows in SoX. They occur
when the sox or play commands handle malicious .WAV files.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4605.html
7/30/2004 - wv
Buffer overflow vulnerabilty
iDefense discovered a buffer overflow vulnerability in the wv
package which could allow an attacker to execute arbitrary code
with the runner's privileges.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4615.html
7/30/2004 - OpenOffice.org Multiple vulnerabilities
Buffer overflow vulnerabilty
These updated packages contain fixes to libneon to correct the
several format string vulnerabilities in it, as well as a
heap-based buffer overflow vulnerability.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4616.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
7/29/2004 - samba
Buffer overflow vulnerability
The Samba team discovered a buffer overflow in the code used to
support the 'mangling method = hash' smb.conf option.
http://www.linuxsecurity.com/advisories/redhat_advisory-4600.html
7/30/2004 - sox
Buffer overflow vulnerabilities
A malicious WAV file could cause arbitrary code to be executed
when the file was played or converted.
http://www.linuxsecurity.com/advisories/redhat_advisory-4613.html
7/30/2004 - ipsec-tools Key verification vulnerability
Buffer overflow vulnerabilities
When configured to use X.509 certificates to authenticate remote
hosts, psec-tools versions 0.3.3 and earlier will attempt to
verify that host certificate, but will not abort the key exchange
if verification fails.
http://www.linuxsecurity.com/advisories/redhat_advisory-4614.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
7/29/2004 - samba
Buffer overflow vulnerabilities
This fixes two buffer overflows in SAMBA. There are two sections
to this advisory: the original and the one that does NOT add a new
dependancy.
http://www.linuxsecurity.com/advisories/slackware_advisory-4598.html
7/29/2004 - mod_ssl
Format string vulnerability
A format string vulnerability in mod_proxy hook functions could
allow an attacker to run code as the mod_ssl user.
http://www.linuxsecurity.com/advisories/slackware_advisory-4599.html
+---------------------------------+
| Distribution: Suse | ----------------------------//
+---------------------------------+
7/23/2004 - samba
Buffer overflow vulnerabilities
This patch resolves two buffer overflows, both of which could be
used to execute arbitrary code.
http://www.linuxsecurity.com/advisories/suse_advisory-4589.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
7/29/2004 - apache,mod_php4,samba Multiple vulnerabilities
Buffer overflow vulnerabilities
This patch fixes a variety of vulnerabilities affecting apache,
mod_php4, and samba.
http://www.linuxsecurity.com/advisories/trustix_advisory-4597.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
