+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| November 5th, 2004 Volume 5, Number 45a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for xpdf, libtiff3, sasl, shadow,
ruby, freeam, gzip, libgd1, gnats, libgd2, Gallery, ImageMagick, zgv,
mtink, Apache, pavuk, samba, libxml, webmin, and speedtouch. The
distributors include Conectiva, Debian, Fedora, Gentoo, Mandrake, and
Trustix.
>> LinuxSecurity.com Version 2 <<
Get ready ... on December 1st the new LinuxSecurity.com site will be
revealed. The same great content you've come to expect with a whole new
look and great new features. A sneak preview is coming soon!
-----
Identify Gateway Machines
Special attention should be paid to gateway or firewall systems, as they
usually control access to the services running on the entire network.
Such gateways should be identified, its function within the network
shouild be assessed and owners or administrators should be identified.
These hosts, often referred to as ``bastion hosts'' are a prime target for
an intruder. They should be some of the most fortified machines on the
network.
Be sure to regularly review the current access policies and security of
the system itself.
These ``systems'' should absolutely only be running the services necessary
to perform it's operation. Your firewall should not be your mail server,
web server, contain user accounts, etc. Some of the things you should
check for, and absolutely fortify on these hosts include:
- Turn off access to all but necessary services.
- Depending on the type of firewall, disable IP Forwarding, preventing
the system from routing packets unless absolutely instructed to do so.
- Update machine by installing vendor patches immediately.
- Restrict network management utilities, such as SNMP, ``public''
communities, and write access.
- Be sure firewall policy includes mechanisms for preventing common
attacks such as IP Spoofing, Fragmentation attacks,
Denial of Service, etc.
- Monitor status very closely. You should develop a reference point in
which the machine normally operates to be able to detect variations
which may indicate an intrusion.
- Develop a comprehensive firewall model. Firewalls should be treated as
a security system, not just a program that runs on a machine and has an
access control list. Firewall administration should be centrally
controlled and evaluation of firewall policies should be done prior to
actual firewall deployment.
Excerpt from the LinuxSecurity Administrator's Guide:
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html
Written by: Dave Wreski (dave@xxxxxxxxxxxxxxxxxxx)
-----
Mass deploying Osiris
Osiris is a centralized file-integrity program that uses a client/server
architecture to check for changes on a system. A central server maintains
the file-integrity database and configuration for a client and at a
specified time, sends the configuration file over to the client, runs a
scan and sends the results back to the server to compare any changes.
Those changes are then sent via email, if configured, to a system admin or
group of people. The communication is all done over an encrypted
communication channel.
http://www.linuxsecurity.com/feature_stories/feature_story-175.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
11/8/2004 - xpdf
vulnerabilities fix
Chris Evans discovered several integer overflows vulnerabilities
in the xpdf code which can be exploited remotely by a specially
crafted PDF document and may lead to the execution of arbitrary
code.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5098.html
11/8/2004 - libtiff3
vulnerabilities fix
This announcement fixes several integer overflow vulnerabilities
that were encountered in libtiff.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5099.html
11/11/2004 - sasl
buffer overflow vulnerability fix
A vulnerability[2] has been discovered in the Cyrus implementation
of the SASL library. The library honors the environment variable
SASL_PATH blindly, which allows a local attacker to link against a
malicious library to run arbitrary code with the privileges of a
setuid or setgid application.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5150.html
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
11/5/2004 - shadow
unintended behaviour fix
A vulnerability has been discovered in the shadow suite which
provides programs like chfn and chsh. It is possible for a user,
who is logged in but has an expired password to alter his account
information with chfn or chsh without having to change the
password. The problem was originally thought to be more severe.
http://www.linuxsecurity.com/advisories/debian_advisory-5086.html
11/8/2004 - ruby
denial of service fix
The upstream developers of Ruby have corrected a problem in the
CGI module for this language. Specially crafted requests could
cause an infinite loop and thus cause the program to eat up cpu
cycles.
http://www.linuxsecurity.com/advisories/debian_advisory-5088.html
11/8/2004 - freeam
arbitrary code execution fix
Luigi Auriemma discovered a buffer overflow condition in the
playlist module of freeamp which could lead to arbitrary code
execution. Recent versions of freeamp were renamed into zinf.
http://www.linuxsecurity.com/advisories/debian_advisory-5089.html
11/8/2004 - gzip
insecure temporary files fix
Trustix developers discovered insecure temporary file creation in
supplemental scripts in the gzip package which may allow local
users to overwrite files via a symlink attack.
http://www.linuxsecurity.com/advisories/debian_advisory-5101.html
11/9/2004 - libgd1
arbitrary code execution fix
"infamous41md" discovered several integer overflows in the PNG
image decoding routines of the GD graphics library. This could
lead to the execution of arbitrary code on the victim's machine.
http://www.linuxsecurity.com/advisories/debian_advisory-5133.html
11/9/2004 - gnats
arbitrary code execution fix
Khan Shirani discovered a format string vulnerability in gnats,
the GNU problem report management system. This problem may be
exploited to execute arbitrary code.
http://www.linuxsecurity.com/advisories/debian_advisory-5134.html
11/9/2004 - libgd2
arbitrary code execution fix
"infamous41md" discovered several integer overflows in the PNG
image decoding routines of the GD graphics library. This could
lead to the execution of arbitrary code on the victim's machine.
http://www.linuxsecurity.com/advisories/debian_advisory-5135.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
11/8/2004 - udev-039-10.FC3.1 update
arbitrary code execution fix
Due to debugging code left accidently in the FC3 udev package,
SIGCHLD signals are blocked in udev, which prevents getting the
proper exit status in udev.rules. This means no cdrom symlinks are
created and pam_console does not apply desktop user ownerships to
any cdrom devices.
http://www.linuxsecurity.com/advisories/fedora_advisory-5102.html
11/8/2004 - initscripts-7.93.5-1 update
arbitrary code execution fix
This update fixes some minor bugs discovered after the final
freeze date.
http://www.linuxsecurity.com/advisories/fedora_advisory-5103.html
11/8/2004 - hotplug-2004_04_01-8 update
arbitrary code execution fix
This update fixes it so that the sg module gets loaded by hotplug
for non-disk, non-optical devices.
http://www.linuxsecurity.com/advisories/fedora_advisory-5104.html
11/8/2004 - ipsec-tools-0.3.3-2 update
arbitrary code execution fix
This update fixes the use of 'setkey' when reading from stdin (the
'-c' argument).
http://www.linuxsecurity.com/advisories/fedora_advisory-5105.html
11/8/2004 - kde-i18n-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5106.html
11/8/2004 - kdeaddons-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5107.html
11/8/2004 - kdeadmin-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5108.html
11/8/2004 - kdeartwork-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5109.html
11/8/2004 - kdebase-3.3.1-4.1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5110.html
11/8/2004 - kdebindings-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5111.html
11/8/2004 - kdeedu-3.3.1-2.1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5112.html
11/8/2004 - kdegames-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5113.html
11/8/2004 - kdegraphics-3.3.1-2.1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5114.html
11/8/2004 - kdelibs-3.3.1-2.2 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5115.html
11/8/2004 - kdemultimedia-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5116.html
11/8/2004 - kdenetwork-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5117.html
11/8/2004 - kdepim-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5118.html
11/8/2004 - kdesdk-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5119.html
11/8/2004 - kdetoys-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5120.html
11/8/2004 - kdeutils-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5121.html
11/8/2004 - kdevelop-3.1.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5122.html
11/8/2004 - kdewebdev-3.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5123.html
11/8/2004 - arts-1.3.1-1 update
arbitrary code execution fix
KDE 3.3.1 update
http://www.linuxsecurity.com/advisories/fedora_advisory-5124.html
11/8/2004 - gpdf-2.8.0-8 update
arbitrary code execution fix
GPdf includes the gpdf application, a Bonobo control for PDF
display which can be embedded in Nautilus, and a Nautilus property
page for PDF files.
http://www.linuxsecurity.com/advisories/fedora_advisory-5125.html
11/8/2004 - wireless-tools-27-0.pre25.3 update
arbitrary code execution fix
Fixes a memory leak during wireless scans that affects
NetworkManager.
http://www.linuxsecurity.com/advisories/fedora_advisory-5126.html
11/8/2004 - redhat-artwork-0.96-2 update
arbitrary code execution fix
This update fixes issues when using redhat-artwork on 64-bit
platforms, having both 32 and 64 bit versions installed.
http://www.linuxsecurity.com/advisories/fedora_advisory-5127.html
11/8/2004 - gnome-media-2.8.0-3.FC3.1 update
arbitrary code execution fix
GNOME (GNU Network Object Model Environment) is a user-friendly
set of GUI applications and desktop tools to be used in
conjunction with a window manager for the X Window System. The
gnome-media package will install media features like the GNOME CD
player.
http://www.linuxsecurity.com/advisories/fedora_advisory-5128.html
11/8/2004 - zip-2.3-26.2 update
arbitrary code execution fix
A buffer overflow has been found in zip which will lead to a
buffer overflow when a user try to create a zip archive which
contains very long filenames.
http://www.linuxsecurity.com/advisories/fedora_advisory-5131.html
11/8/2004 - zip-2.3-26.3 update
arbitrary code execution fix
A buffer overflow has been found in zip which will lead to a
buffer overflow when a user try to create a zip archive which
contains very long filenames.
http://www.linuxsecurity.com/advisories/fedora_advisory-5132.html
11/9/2004 - gnumeric-1.2.13-8.fc3 update
arbitrary code execution fix
64bit excel {im|ex}port backport fixes
http://www.linuxsecurity.com/advisories/fedora_advisory-5136.html
11/10/2004 - system-config-users-1.2.27-0.fc2.1 update
arbitrary code execution fix
system-config-users is a graphical utility for administrating
users and groups. It depends on the libuser library.
http://www.linuxsecurity.com/advisories/fedora_advisory-5140.html
11/10/2004 - openoffice.org-1.1.2-11.5.fc3 update
arbitrary code execution fix
The fixes in this update are detailed in the changelog entry
below.
http://www.linuxsecurity.com/advisories/fedora_advisory-5141.html
11/10/2004 - openoffice.org-1.1.2-11.4.fc2 update
arbitrary code execution fix
The fixes in this update are detailed in the changelog entry
below.
http://www.linuxsecurity.com/advisories/fedora_advisory-5142.html
11/10/2004 - jwhois-3.2.2-6.FC3.1 update
arbitrary code execution fix
This update fixes a crash when a processing a query requires more
than one redirection.
http://www.linuxsecurity.com/advisories/fedora_advisory-5143.html
11/11/2004 - ruby-1.8.1-6.FC2.0 update
arbitrary code execution fix
Ruby is the interpreted scripting language for quick and easy
object-oriented programming. It has many features to process text
files and to do system management tasks (as in Perl). It is
simple, straight-forward, and extensible.
http://www.linuxsecurity.com/advisories/fedora_advisory-5144.html
11/11/2004 - ruby-1.8.1-7.FC3.1 update
arbitrary code execution fix
Ruby is the interpreted scripting language for quick and easy
object-oriented programming. It has many features to process text
files and to do system management tasks (as in Perl). It is
simple, straight-forward, and extensible.
http://www.linuxsecurity.com/advisories/fedora_advisory-5145.html
11/11/2004 - glibc-2.3.3-27.1 update
arbitrary code execution fix
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs.
http://www.linuxsecurity.com/advisories/fedora_advisory-5153.html
11/11/2004 - system-config-users-1.2.27-0.fc3.1 update
arbitrary code execution fix
system-config-users is a graphical utility for administrating
users and groups. It depends on the libuser library.
http://www.linuxsecurity.com/advisories/fedora_advisory-5154.html
11/11/2004 - libxml2-2.6.16-2 update
arbitrary code execution fix
This update to libxml2 fixes a variety of bugs found in 2.6.15,
notably #137968.
http://www.linuxsecurity.com/advisories/fedora_advisory-5155.html
11/11/2004 - libxml2-2.6.16-3 update
arbitrary code execution fix
This update to libxml2 fixes a variety of bugs found in 2.6.15,
notably #137968.
http://www.linuxsecurity.com/advisories/fedora_advisory-5156.html
11/11/2004 - gd-2.0.21-5.20.1 update
arbitrary code execution fix
Several buffer overflows were reported in various memory
allocation calls. An attacker could create a carefully crafted
image file in such a way that it could cause ImageMagick to
execute arbitrary code when processing the image.
http://www.linuxsecurity.com/advisories/fedora_advisory-5157.html
11/11/2004 - gd-2.0.28-1.30.1 update
arbitrary code execution fix
Several buffer overflows were reported in various memory
allocation calls. An attacker could create a carefully crafted
image file in such a way that it could cause ImageMagick to
execute arbitrary code when processing the image.
http://www.linuxsecurity.com/advisories/fedora_advisory-5158.html
11/11/2004 - unarj-2.63a-7 update
arbitrary code execution fix
A buffer overflow bug has been discovered in unarj when handling
long file names contained in an archive. An attacker could create
an archive with a specially crafted path which could cause unarj
to crash or execute arbitrary instructions.
http://www.linuxsecurity.com/advisories/fedora_advisory-5159.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
11/6/2004 - GPdf, KPDF, KOffice Vulnerabilities in included xpdf
arbitrary code execution fix
The original fix introduced new vulnerabilities on 64-bit
platforms. New fixed packages are available. Updated sections
follow.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5090.html
11/6/2004 - Xpdf, CUPS Multiple integer overflows
arbitrary code execution fix
The original fix introduced new vulnerabilities on 64-bit
platforms. New fixed packages are available. Updated sections
follow.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5091.html
11/6/2004 - Gallery
Cross-site scripting vulnerability
Gallery is vulnerable to cross-site scripting attacks.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5092.html
11/6/2004 - ImageMagick
EXIF buffer overflow
ImageMagick contains an error in boundary checks when handling
EXIF information, which could lead to arbitrary code execution.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5093.html
11/7/2004 - zgv
Multiple buffer overflows
zgv contains multiple buffer overflows that can potentially lead
to the execution of arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5094.html
11/7/2004 - Portage, Gentoolkit Temporary file vulnerabilities
Multiple buffer overflows
dispatch-conf (included in Portage) and qpkg (included in
Gentoolkit) are vulnerable to symlink attacks, potentially
allowing a local user to overwrite arbitrary files with the rights
of the user running the script.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5095.html
11/7/2004 - Kaffeine, gxine Remotely exploitable buffer overflow
Multiple buffer overflows
Kaffeine and gxine both contain a buffer overflow that can be
exploited when accessing content from a malicious HTTP server with
specially crafted headers.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5096.html
11/8/2004 - OpenSSL, Groff Insecure tempfile handling
Multiple buffer overflows
groffer, included in the Groff package, and the der_chop script,
included in the OpenSSL package, are both vulnerable to symlink
attacks, potentially allowing a local user to overwrite arbitrary
files with the rights of the user running the utility.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5097.html
11/9/2004 - zip
Path name buffer overflow
zip contains a buffer overflow when creating a ZIP archive of
files with very long path names. This could lead to the execution
of arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5137.html
11/9/2004 - mtink
Insecure tempfile handling
mtink is vulnerable to symlink attacks, potentially allowing a
local user to overwrite arbitrary files with the rights of the
user running the utility.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5138.html
11/10/2004 - Apache
2.0 Denial of Service by memory consumption
A flaw in Apache 2.0 could allow a remote attacker to cause a
Denial of Service.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5139.html
11/11/2004 - pavuk
Multiple buffer overflows
Pavuk contains multiple buffer overflows that can allow a remote
attacker to run arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5151.html
11/11/2004 - ez-ipupdate Format string vulnerability
Multiple buffer overflows
ez-ipupdate contains a format string vulnerability that could lead
to execution of arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5152.html
11/11/2004 - samba
Remote Denial of Service
An input validation flaw in Samba may allow a remote attacker to
cause a Denial of Service by excessive consumption of CPU cycles.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5160.html
11/11/2004 - Davfs2, lvm-user Insecure tempfile handling
Remote Denial of Service
Davfs2 and the lvmcreate_initrd script (included in the lvm-user
package) are both vulnerable to symlink attacks, potentially
allowing a local user to overwrite arbitrary files with the rights
of the user running them.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5161.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
11/5/2004 - shadow
security bypass vulnerability fix
A vulnerability in the shadow suite was discovered by Martin
Schulze that can be exploited by local users to bypass certain
security restrictions due to an input validation error in the
passwd_check() function. This function is used by the chfn and
chsh tools.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5084.html
11/5/2004 - libxml
libxml2 multiple vulnerabilities fix
Multiple buffer overflows were reported in the libxml XML parsing
library. These vulnerabilities may allow remote attackers to
execute arbitray code via a long FTP URL that is not properly
handled by the xmlNanoFTPScanURL() function, a long proxy URL
containing FTP data that is not properly handled by the
xmlNanoFTPScanProxy() function, and other overflows in the code
that resolves names via DNS.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5085.html
11/8/2004 - ruby
remote DoS vulnerability fix
Andres Salomon noticed a problem with the CGI session management
in Ruby. The CGI:Session's FileStore implementations store session
information in an insecure manner by just creating files and
ignoring permission issues (CAN-2004-0755).
http://www.linuxsecurity.com/advisories/mandrake_advisory-5129.html
11/10/2004 - webmin
problem with some modules fix
There was a problem with two modules in the webmin package that
did not work correctly: the cron and backup modules. The updates
packages fix the problem so the modules will again work.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5146.html
11/11/2004 - ez-ipupdate format string vulnerability fix
problem with some modules fix
Ulf Harnhammar discovered a format string vulnerability in
ez-ipupdate, a client for many dynamic DNS services. The updated
packages are patched to protect against this problem.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5147.html
11/11/2004 - speedtouch
format string vulnerability fix
The Speedtouch USB driver contains a number of format string
vulnerabilities due to improperly made syslog() system calls.
These vulnerabilities can be abused by a local user to potentially
allow the execution of arbitray code with elevated privileges.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5148.html
11/11/2004 - samba
DoS vulnerability fix
Karol Wiesek discovered a bug in the input validation routines in
Samba 3.x used to match filename strings containing wildcard
characters. This bug may allow a user to consume more than normal
amounts of CPU cycles which would impact the performance and
response of the server.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5149.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
11/5/2004 - apache
buffer overflow
Potential buffer overflow with escaped characters in SSI tag
string. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0940 to this issue.
http://www.linuxsecurity.com/advisories/trustix_advisory-5087.html
11/8/2004 - php, postfix, kernel, sqlgrey, sqlite package fixes
buffer overflow
PHP: Wrong "extension_dir" leads to problems loading modules.
Postfix: Fixed a missing define that prevented dynamic loading of
modules.
http://www.linuxsecurity.com/advisories/trustix_advisory-5100.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
