+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| November 5th, 2004 Volume 5, Number 44a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for rsync, squid, subversion, gaim,
apache, postgresql, mpg123, abiword, iptables, xpdf, libxml, lvm10, hdcp,
ppp, Apache, speedtouch, proxytunnel, shadow, mysql, netalk, mod_ssl, and
libtiff. The distributors include Conectiva, Debian, Fedora, Gentoo,
Mandrake, Openwall, Slackware, and Trustix.
-----
>> The Perfect Productivity Tools <<
WebMail, Groupware and LDAP Integration provide organizations with the
ability to securely access corporate email from any computer, collaborate
with co-workers and set-up comprehensive addressbooks to consistently keep
employees organized and connected.
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn05
-----
NFS Security
NFS is a very widely used file sharing protocol. It allows servers running
nfsd(8) and mountd(8) to ``export'' entire filesystems to other machines
with nfs filesystem support built-in to their kernels (or some other
client support if they are non Linux machines). mountd(8) keeps track of
mounted filesystems in /etc/mtab, and can display them with showmount(8).
Many sites use NFS to serve home directories to users, so that no matter
what machine in the cluster they login to, they will have all their home
files.
There is some small amount of ``security'' allowed in exporting
filesystems. You can make your nfsd map the remote root user (uid=0) to
the nobody user, denying them total access to the files exported. However,
since individual users have access to their own (or at least the same uid)
files, the remote superuser can login or su to their account and have
total access to their files. This is only a small hindrance to an attacker
that has access to mount your remote filesystems.
If you must use NFS, make sure you export to only those machines that you
really need to export only. Never export your entire root directory,
export only directories you need to export and export read-only wherever
possible.
Filter TCP port 111, UDP port 111 (portmapper), TCP port 2049, and UDP
port 2049 (nfsd) on your firewall or gateway to prevent external access.
The NFS HOWTO also discusses some of the security issues with NFS, and it
is available at: http://www.tldp.org/HOWTO/NFS-HOWTO/
Excerpt from the LinuxSecurity Administrator's Guide:
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html
Written by: Dave Wreski (dave@xxxxxxxxxxxxxxxxxxx)
-----
Mass deploying Osiris
Osiris is a centralized file-integrity program that uses a client/server
architecture to check for changes on a system. A central server maintains
the file-integrity database and configuration for a client and at a
specified time, sends the configuration file over to the client, runs a
scan and sends the results back to the server to compare any changes.
Those changes are then sent via email, if configured, to a system admin or
group of people. The communication is all done over an encrypted
communication channel.
http://www.linuxsecurity.com/feature_stories/feature_story-175.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
11/1/2004 - rsync
path sanitation vulnerabilities fix
rsync before 2.6.1 does not properly sanitize paths[2] when
running a read and write daemon without using chroot. This could
allow a remote attacker to write files outside of the rsync
directory, depending on rsync's daemon privileges.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5049.html
11/3/2004 - squid
denial of service vulnerability fix
This announcement fixes a denial of service vulnerability[2] in
squid caused by a malformed NTLMSSP packet. This causes a negative
value to be passed to memcpy on servers with NTLM authentication
enabled, making squid abort and causing a denial of service
condition.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5071.html
11/4/2004 - subversion
vulnerabilities fix
All subversions versions prior to and including 1.0.7 are
vulnerable to a bug in mod_authz_svn that could allow sensitive
metadata of protected areas to be leaked to unauthorized users,
characterizing an information leak vulnerability.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5074.html
11/4/2004 - gaim
vulnerabilities fix
This announcement fixes several denial of service and buffer
overflow vulnerabilities that were encountered in Gaim.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5075.html
11/4/2004 - apache
mod_ssl vulnerability fix
An issue[2] in the mod_ssl module was reported[3] by Hartmut Keil.
When a particular location is configured to require a specific set
of cipher suites through the "SSLCipherSuite" directive in its
directory or location context, a client could be able to access
that location using any cipher suite allowed by the virtual host
configuration.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5076.html
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
10/29/2004 - squid
several vulnerabilities fix
Several security vulnerabilities have been discovered in Squid,
the internet object cache, the popular WWW proxy cache.
http://www.linuxsecurity.com/advisories/debian_advisory-5035.html
10/29/2004 - postgresql
symlink vulnerability fix
Trustix Security Engineers identified insecure temporary file
creation in a script included in the postgresql suite, an
object-relational SQL database. This could lead an attacker to
trick a user to overwrite arbitrary files he has write access to.
http://www.linuxsecurity.com/advisories/debian_advisory-5036.html
11/1/2004 - mpg123
arbitrary code execution fix
Carlos Barros has discovered a buffer overflow in the HTTP
authentication routine of mpg123, a popular (but non-free) MPEG
layer 1/2/3 audio player.
http://www.linuxsecurity.com/advisories/debian_advisory-5045.html
11/1/2004 - abiword
arbitrary code execution fix
A buffer overflow vulnerability has been disovered in the wv
library, used for converting and previewing word documents. On
exploition an attacker could execute arbitrary code with the
privileges of the user running the vulnerable application.
http://www.linuxsecurity.com/advisories/debian_advisory-5050.html
11/1/2004 - iptables
modprobe failure fix
Faheem Mitha noticed that the iptables command, an administration
tool for IPv4 packet filtering and NAT, did not always load the
required modules on it own as it was supposed to.
http://www.linuxsecurity.com/advisories/debian_advisory-5051.html
11/2/2004 - xpdf
arbitrary code execution fix
Chris Evans discovered several integer overflows in xpdf, a viewer
for PDF files, which can be exploited remotely by a specially
crafted PDF document and lead to the execution of arbitrary code.
http://www.linuxsecurity.com/advisories/debian_advisory-5064.html
11/2/2004 - libxml
arbitrary code execution fix
"infamous41md" discovered several buffer overflows in libxml and
libxml2, the XML C parser and toolkits for GNOME. Missing
boundary checks could cause several buffers to be overflown, which
may cause the client to execute arbitrary code.
http://www.linuxsecurity.com/advisories/debian_advisory-5065.html
11/3/2004 - lvm10
insecure temporary directory fix
Trustix developers discovered insecure temporary file creation in
a supplemental script in the lvm10 package that didn't check for
existing temporary directories, allowing local users to overwrite
files via a symlink attack.
http://www.linuxsecurity.com/advisories/debian_advisory-5069.html
11/4/2004 - dhcp
format string vulnerability fix
"infamous41md" noticed that the log functions in dhcp 2.x, which
is still distributed in the stable Debian release, contained pass
parameters to function that use format strings. One use seems to
be exploitable in connection with a malicious DNS server.
http://www.linuxsecurity.com/advisories/debian_advisory-5077.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
10/29/2004 - libxslt-1.1.12-2 update
format string vulnerability fix
This update fixes bug #137499 where some DocBook transformations
broke following the latest security release of libxml2-2.6.15-2 .
It brings back libxslt in sync with the installed version of
libxml2.
http://www.linuxsecurity.com/advisories/fedora_advisory-5044.html
11/4/2004 - system-config-users-1.2.26-0.fc2.1 update
format string vulnerability fix
system-config-users is a graphical utility for administrating
users and groups. It depends on the libuser library.
http://www.linuxsecurity.com/advisories/fedora_advisory-5078.html
11/4/2004 - wget-1.9.1-16.fc2 update
format string vulnerability fix
This new release of wget adds support for large files >2Gb, p.e.
DVD ISOs.
http://www.linuxsecurity.com/advisories/fedora_advisory-5079.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
10/29/2004 - Archive::Zip Virus detection evasion
format string vulnerability fix
Email virus scanning software relying on Archive::Zip can be
fooled into thinking a ZIP attachment is empty while it contains a
virus, allowing detection evasion.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5043.html
11/1/2004 - ppp
Remote denial of service vulnerability
pppd contains a vulnerability that may allow an attacker to crash
the server.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5052.html
11/1/2004 - Cherokee
Format string vulnerability
Cherokee contains a format string vulnerability that could lead to
denial of service or the execution of arbitary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5053.html
11/2/2004 - Apache
1.3 Buffer overflow vulnerability in mod_include
A buffer overflow vulnerability exists in mod_include which could
possibly allow a local attacker to gain escalated privileges.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5062.html
11/2/2004 - Speedtouch
USB driver Privilege escalation vulnerability
A vulnerability in the Speedtouch USB driver can be exploited to
allow local users to execute arbitrary code with escalated
privileges.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5063.html
11/2/2004 - libxml2
Remotely exploitable buffer overflow
libxml2 contains multiple buffer overflows which could lead to the
execution of arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5066.html
11/2/2004 - MIME-tools Virus detection evasion
Remotely exploitable buffer overflow
MIME-tools doesn't handle empty MIME boundaries correctly. This
may prevent some virus-scanning programs which use MIME-tools from
detecting certain viruses.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5067.html
11/2/2004 - ppp
No denial of service vulnerability
pppd contains a bug that allows an attacker to crash his own
connection, but it cannot be used to deny service to other users.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5068.html
11/3/2004 - Proxytunnel
Format string vulnerability
Proxytunnel is vulnerable to a format string vulnerability,
potentially allowing a remote server to execute arbitrary code
with the rights of the Proxytunnel process.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5072.html
11/3/2004 - GD
Integer overflow
The PNG image decoding routines in the GD library contain an
integer overflow that may allow execution of arbitrary code with
the rights of the program decoding a malicious PNG image.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5073.html
11/4/2004 - shadow
Unauthorized modification of account information
A flaw in the chfn and chsh utilities might allow modification of
account properties by unauthorized users.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5080.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
11/2/2004 - gaim
vulnerability fix
A vulnerability in the MSN protocol handler in the gaim instant
messenger application was discovered. When receiving unexpected
sequences of MSNSLP messages, it is possible that an attacker
could trigger an internal buffer overflow which could lead to a
crash or even code execution as the user running gaim.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5055.html
11/2/2004 - perl-Archive-Zip vulnerability fix
vulnerability fix
Recently, it was noticed that several antivirus programs miss
viruses that are contained in ZIP archives with manipulated
directory data. The global archive directory of these ZIP file
have been manipulated to indicate zero file sizes.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5056.html
11/2/2004 - MySQL
multiple vulnerabilities fix
Jeroen van Wolffelaar discovered an insecure temporary file
vulnerability in the mysqlhotcopy script when using the scp method
(CAN-2004-0457).
http://www.linuxsecurity.com/advisories/mandrake_advisory-5057.html
11/2/2004 - mpg123
vulnerability fix
Carlos Barros discovered two buffer overflow vulnerabilities in
mpg123; the first in the getauthfromURL() function and the second
in the http_open() function. These vulnerabilities could be
exploited to possibly execute arbitrary code with the privileges
of the user running mpg123.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5058.html
11/2/2004 - netatalk
temporary file vulnerability fix
The etc2ps.sh script, part of the netatalk package, creates files
in /tmp with predicatable names which could allow a local attacker
to use symbolic links to point to a valid file on the filesystem
which could lead to the overwriting of arbitrary files if
etc2ps.sh is executed by someone with enough privilege.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5059.html
11/2/2004 - perl-MIME-tools vulnerability fix
temporary file vulnerability fix
There's a bug in MIME-tools, where it mis-parses things like
boundary="". Some viruses use an empty boundary, which may allow
unapproved parts through MIMEDefang.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5060.html
11/2/2004 - mod_ssl
information disclosure vulnerability fix
A vulnerability in mod_ssl was discovered by Hartmut Keil. After
a renegotiation, mod_ssl would fail to ensure that the requested
cipher suite is actually negotiated. The provided packages have
been patched to prevent this problem.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5061.html
11/4/2004 - xorg-x11 libXpm overflow vulnerabilities fix
information disclosure vulnerability fix
Chris Evans found several stack and integer overflows in the
libXpm code of X.Org/XFree86
http://www.linuxsecurity.com/advisories/mandrake_advisory-5081.html
11/4/2004 - Mandrakelinux
10.1 various issues fix
Various packages are now available that fix certain bugs in
KDE-related packages in Mandrakelinux 10.1 Official edition
http://www.linuxsecurity.com/advisories/mandrake_advisory-5082.html
11/4/2004 - iptables
vulnerability fix
Faheem Mitha discovered that the iptables tool would not always
load the required modules on its own as it should have, which
could in turn lead to firewall rules not being loaded on system
startup in some cases.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5083.html
11/5/2004 - shadow
security bypass vulnerability fix
A vulnerability in the shadow suite was discovered by Martin
Schulze that can be exploited by local users to bypass certain
security restrictions due to an input validation error in the
passwd_check() function. This function is used by the chfn and
chsh tools.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5084.html
11/5/2004 - libxml
libxml2 multiple vulnerabilities fix
Multiple buffer overflows were reported in the libxml XML parsing
library. These vulnerabilities may allow remote attackers to
execute arbitray code via a long FTP URL that is not properly
handled by the xmlNanoFTPScanURL() function, a long proxy URL
containing FTP data that is not properly handled by the
xmlNanoFTPScanProxy() function, and other overflows in the code
that resolves names via DNS.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5085.html
+---------------------------------+
| Distribution: Openwall | ----------------------------//
+---------------------------------+
11/3/2004 - glibc
2.3.x update
Basically, the system has been updated to glibc 2.3.x (2.3.2 plus
the patches found in latest Red Hat Linux 9 glibc update, minus
NPTL, and plus all of our modifications indeed).
http://www.linuxsecurity.com/advisories/openwall_advisory-5070.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
11/1/2004 - apache+mod_ssl security issue fix
2.3.x update
New apache packages are available for Slackware 8.1, 9.0, 9.1,
10.0, and -current to fix a security issue. Apache has been
upgraded to version 1.3.33 which fixes a buffer overflow which may
allow local users to execute arbitrary code as the apache user.
http://www.linuxsecurity.com/advisories/slackware_advisory-5047.html
11/1/2004 - libtiff
security issue fix
New libtiff packages are available for Slackware 8.1, 9.0, 9.1,
10.1, and -current to fix security issues that could lead to
application crashes, or possibly execution of arbitrary code.
http://www.linuxsecurity.com/advisories/slackware_advisory-5048.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
11/1/2004 - libxml2, postgresql multiple security issues
security issue fix
There is a buffer overflow when parsing a URL with ftp information
in it. A loop incorrectly copies data from a user supplied buffer
into a finite stack buffer with no regard for the length being
copied.
http://www.linuxsecurity.com/advisories/trustix_advisory-5046.html
11/1/2004 - libxml2, postgresql multiple security issues
security issue fix
There is a buffer overflow when parsing a URL with ftp information
in it. A loop incorrectly copies data from a user supplied buffer
into a finite stack buffer with no regard for the length being
copied.
http://www.linuxsecurity.com/advisories/trustix_advisory-5054.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
