+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| November 19th, 2004 Volume 5, Number 46a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for libxml2, MySQL, imagemagick,
Apache, fetch, Ruby, BNC, Squirrelmail, gd, sudo, totem, drakxtools,
httpd, freeradius, libxml2, and iptables. The distributors include
Conectiva, Debian, Fedora, FreeBSD, Gentoo, Mandrake, Red Hat, Suse, and
Trustix.
----- LinuxSecurity.com Version 2 -----
Get ready ... on December 1st the new LinuxSecurity.com site will be
revealed. The same great content you've come to expect with a whole new
look and great new features. A sneak preview is coming soon!
http://ads.linuxsecurity.com/cgi-bin/ads.pl?banner=lsv2flashdemo
------
Root Security
The most sought-after account on your machine is the superuser account.
This account has authority over the entire machine, which may also include
authority over other machines on the network. Remember that you should
only use the root account for very short specific tasks and should mostly
run as a normal user. Running as root all the time is a very very very bad
idea.
Several tricks to avoid messing up your own box as root:
* When doing some complex command, try running it first in a non
destructive way...especially commands that use globbing: e.g., you are
going to do a rm foo*.bak, instead, first do: ls foo*.bak and make sure
you are going to delete the files you think you are. Using echo in place
of destructive commands also sometimes works.
* Provide your users with a default alias to the /bin/rm command to ask
for confirmation for deletion of files.
* Only become root to do single specific tasks. If you find yourself
trying to figure out how to do something, go back to a normal user shell
until you are sure what needs to be done by root.
* The command path for the root user is very important. The command path,
or the PATH environment variable, defines the location the shell searches
for programs. Try and limit the command path for the root user as much as
possible, and never use '.', meaning 'the current directory', in your PATH
statement. Additionally, never have writable directories in your search
path, as this can allow attackers to modify or place new binaries in your
search path, allowing them to run as root the next time you run that
command.
* Never use the rlogin/rsh/rexec (called the ``r-utilities'') suite of
tools as root. They are subject to many sorts of attacks, and are
downright dangerous run as root. Never create a .rhosts file for root.
* The /etc/securetty file contains a list of terminals that root can login
from. By default (on Red Hat Linux) this is set to only the local virtual
consoles (vtys). Be very careful of adding anything else to this file. You
should be able to login remotely as your regular user account and then use
su if you need to (hopefully over ssh or other encrypted channel), so
there is no need to be able to login directly as root.
* Always be slow and deliberate running as root. Your actions could affect
a lot of things. Think before you type!
If you absolutely positively need to allow someone (hopefully very
trusted) to have superuser access to your machine, there are a few tools
that can help. sudo allows users to use their password to access a limited
set of commands as root. sudo keeps a log of all successful and
unsuccessful sudo attempts, allowing you to track down who used what
command to do what. For this reason sudo works well even in places where a
number of people have root access, but use sudo so you can keep track of
changes made.
Although sudo can be used to give specific users specific privileges for
specific tasks, it does have several shortcomings. It should be used only
for a limited set of tasks, like restarting a server, or adding new users.
Any program that offers a shell escape will give the user root access.
This includes most editors, for example. Also, a program as innocuous as
/bin/cat can be used to overwrite files, which could allow root to be
exploited. Consider sudo as a means for accountability, and don't expect
it to replace the root user yet be secure.
Excerpt from the LinuxSecurity Administrator's Guide:
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html
Written by: Dave Wreski (dave@xxxxxxxxxxxxxxxxxxx)
-----
Mass deploying Osiris
Osiris is a centralized file-integrity program that uses a client/server
architecture to check for changes on a system. A central server maintains
the file-integrity database and configuration for a client and at a
specified time, sends the configuration file over to the client, runs a
scan and sends the results back to the server to compare any changes.
Those changes are then sent via email, if configured, to a system admin or
group of people. The communication is all done over an encrypted
communication channel.
http://www.linuxsecurity.com/feature_stories/feature_story-175.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
11/18/2004 - libxml2
buffer overflow vulnerabilities fix
This update fixes a buffer overflow vulnerability[2,3] in the URI
parsing code found by "infamous41md" at the nanoftp and nanohttp
modules of libxml2. An attacker may exploit this vulnerability to
execute arbitrary code with the privileges of the user running an
affected application.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5193.html
11/18/2004 - MySQL
vulnerabilities fix
Oleksandr Byelkin noticed[2] that ALTER TABLE ... RENAME checks
CREATE/INSERT rights of the old table instead of the new one.
Lukasz Wojtow noticed[3] a buffer overrun in the
mysql_real_connect() function.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5194.html
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
11/12/2004 - ez-ipupdate format string vulnerability fix
vulnerabilities fix
Ulf Hrnhammar from the Debian Security Audit Project discovered a
format string vulnerability in ez-ipupdate, a client for many
dynamic DNS services. This problem can only be exploited if
ez-ipupdate is running in daemon mode (most likely) with many but
not all service types.
http://www.linuxsecurity.com/advisories/debian_advisory-5162.html
11/16/2004 - imagemagick
arbitrary code execution fix
A vulnerability has been reported for ImageMagick, a commonly used
image manipulation library. Due to a boundary error within the
EXIF parsing routine, a specially crafted graphic images could
lead to the execution of arbitrary code.
http://www.linuxsecurity.com/advisories/debian_advisory-5172.html
11/17/2004 - Apache
arbitrary code execution fix
"Crazy Einstein" has discovered a vulnerability in the
"mod_include" module, which can cause a buffer to be overflown and
could lead to the execution of arbitrary code.
http://www.linuxsecurity.com/advisories/debian_advisory-5180.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
11/12/2004 - httpd-2.0.51-2.9 update
arbitrary code execution fix
This update includes the fixes for an issue in mod_ssl which could
lead to a bypass of an SSLCipherSuite setting in directory or
location context (CVE CAN-2004-0885), and a memory consumption
denial of service issue in the handling of request header lines
(CVE CAN-2004-0942).
http://www.linuxsecurity.com/advisories/fedora_advisory-5166.html
11/12/2004 - httpd-2.0.52-3.1 update
arbitrary code execution fix
This update includes the fix for a memory consumption denial of
service issue in the handling of request header lines (CVE
CAN-2004-0942).
http://www.linuxsecurity.com/advisories/fedora_advisory-5167.html
11/12/2004 - subversion-1.0.9-1 update
arbitrary code execution fix
This update includes the latest release of Subversion 1.0,
including the fix for a regression in the performance of
repository browsing since version 1.0.8.
http://www.linuxsecurity.com/advisories/fedora_advisory-5168.html
11/12/2004 - subversion-1.1.1-1.1 update
arbitrary code execution fix
This update includes the latest release of Subversion 1.1,
including the fix for a regression in the performance of
repository browsing since version 1.1.0 and a variety of other bug
fixes.
http://www.linuxsecurity.com/advisories/fedora_advisory-5169.html
11/12/2004 - gdb-6.1post-1.20040607.43 update
arbitrary code execution fix
#136455 workaround to prevent gdb from failing and getting stuck
when hitting certain DWARF-2 symbols.
http://www.linuxsecurity.com/advisories/fedora_advisory-5170.html
11/16/2004 - abiword-2.0.12-4.fc3 update
arbitrary code execution fix
Backport fix to stop #rh139201# crash on CTRL-A and making font
changes
http://www.linuxsecurity.com/advisories/fedora_advisory-5178.html
11/16/2004 - authd-1.4.3-1 update
arbitrary code execution fix
fix double-free prob detected on x86_64 glibc (#136392)
http://www.linuxsecurity.com/advisories/fedora_advisory-5182.html
11/16/2004 - gaim-1.0.3-0.FC3 update
arbitrary code execution fix
1.0.3 another bugfix release
http://www.linuxsecurity.com/advisories/fedora_advisory-5183.html
11/17/2004 - xorg-x11-6.7.0-10 update
arbitrary code execution fix
Several integer overflow flaws in the X.Org libXpm library used to
decode XPM (X PixMap) images have been found and addressed. An
attacker could create a carefully crafted XPM file which would
cause an application to crash or potentially execute arbitrary
code if opened by a victim.
http://www.linuxsecurity.com/advisories/fedora_advisory-5191.html
11/17/2004 - xorg-x11-6.8.1-12.FC3.1 update
arbitrary code execution fix
Several integer overflow flaws in the X.Org libXpm library used to
decode XPM (X PixMap) images have been found and addressed. An
attacker could create a carefully crafted XPM file which would
cause an application to crash or potentially execute arbitrary
code if opened by a victim.
http://www.linuxsecurity.com/advisories/fedora_advisory-5192.html
+---------------------------------+
| Distribution: FreeBSD | ----------------------------//
+---------------------------------+
11/18/2004 - fetch
Overflow error
An integer overflow condition in the processing of HTTP headers
can result in a buffer overflow.
http://www.linuxsecurity.com/advisories/freebsd_advisory-5195.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
11/16/2004 - Ruby
Denial of Service issue
The CGI module in Ruby can be sent into an infinite loop,
resulting in a Denial of Service condition.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5173.html
11/16/2004 - BNC
Buffer overflow vulnerability
BNC contains a buffer overflow vulnerability that may lead to
Denial of Service and execution of arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5174.html
11/17/2004 - Squirrelmail
Encoded text XSS vulnerability
Squirrelmail fails to properly sanitize user input, which could
lead to a compromise of webmail accounts.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5189.html
11/17/2004 - GIMPS, SETI@home, ChessBrain Insecure installation
Encoded text XSS vulnerability
Improper file ownership allows user-owned files to be run with
root privileges by init scripts.
http://www.linuxsecurity.com/advisories/gentoo_advisory-5190.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
11/17/2004 - gd
integer overflows fix
Integer overflows were reported in the GD Graphics Library (libgd)
2.0.28, and possibly other versions. These overflows allow remote
attackers to cause a denial of service and possibly execute
arbitrary code via PNG image files with large image rows values
that lead to a heap-based buffer overflow in the
gdImageCreateFromPngCtx() function.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5185.html
11/17/2004 - sudo
vulnerability fix
Liam Helmer discovered a flow in sudo's environment sanitizing.
This flaw could allow a malicious users with permission to run a
shell script that uses the bash shell to run arbitrary commands.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5186.html
11/17/2004 - Apache
buffer overflow fix
A possible buffer overflow exists in the get_tag() function of
mod_include, and if SSI (Server Side Includes) are enabled, a
local attacker may be able to run arbitrary code with the rights
of an httpd child process.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5187.html
11/17/2004 - Apache2
request DoS fix
A vulnerability in apache 2.0.35-2.0.52 was discovered by Chintan
Trivedi; he found that by sending a large amount of specially-
crafted HTTP GET requests, a remote attacker could cause a Denial
of Service on the httpd server.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5188.html
11/18/2004 - bootloader-utils kheader issue fix
request DoS fix
A problem with generating kernel headers exists when using the
newer kernel-i686-up-64GB package. The updated bootloader-utils
package corrects the issue.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5196.html
11/18/2004 - totem
problem with blue screen fix
There is a problem in the totem package where in some cases when
running totem a blue screen would appear. Resizing the screen
seems to fix the problem temporarily, however upon minimizing or
maximizing the screen it would once again become blue.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5197.html
11/18/2004 - drakxtools
various issues fix
A number of fixes are available in the updated drakxtools package.
http://www.linuxsecurity.com/advisories/mandrake_advisory-5198.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
11/12/2004 - httpd
security issue and bugs fix
Updated httpd packages that include fixes for two security issues,
as well as other bugs, are now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-5163.html
11/12/2004 - freeradius
security flaws fix
Updated freeradius packages that fix a number of denial of service
vulnerabilities as well as minor bugs are now available for Red
Hat Enterprise Linux 3.
http://www.linuxsecurity.com/advisories/redhat_advisory-5164.html
11/12/2004 - libxml2
security vulnerabilities fix
An updated libxml2 package that fixes multiple buffer overflows is
now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-5165.html
11/16/2004 - samba
security vulnerabilities fix
Updated samba packages that fix various security vulnerabilities
are now available.
http://www.linuxsecurity.com/advisories/redhat_advisory-5179.html
+---------------------------------+
| Distribution: Suse | ----------------------------//
+---------------------------------+
11/15/2004 - samba
remote buffer overflow
There is a problem in the Samba file sharing service daemon, which
allows a remote user to have the service consume lots of computing
power and potentially crash the service by querying special
wildcarded filenames.
http://www.linuxsecurity.com/advisories/suse_advisory-5171.html
11/17/2004 - xshared, XFree86-libs, xorg-x11-libs remote system
compromises remote buffer overflow
The XPM library which is part of the XFree86/XOrg project is used
by several GUI applications to process XPM image files. A source
code review done by Thomas Biege of the SuSE Security-Team
revealed several different kinds of bugs.
http://www.linuxsecurity.com/advisories/suse_advisory-5184.html
+---------------------------------+
| Distribution: Trustix | ----------------------------//
+---------------------------------+
11/16/2004 - gd
samba sqlgrey sudo Various security fixes
gd is a graphics library. It allows your code to quickly draw
images complete with lines, arcs, text, multiple colors, cut and
paste from other images, and flood fills, and write out the result
as a PNG or JPEG file.
http://www.linuxsecurity.com/advisories/trustix_advisory-5175.html
11/16/2004 - apache
automake bind console-tools Package bugfix
Apache is a full featured web server that is freely available, and
also happens to be the most widely used.
http://www.linuxsecurity.com/advisories/trustix_advisory-5176.html
11/16/2004 - iptables
Loading too many modules
Olaf Rempel pointed out that the list of modules we autoload is
too large. This has now been fixed.
http://www.linuxsecurity.com/advisories/trustix_advisory-5177.html
11/16/2004 - gd
samba sqlgrey sudo several overflows
There has been found serveral overflows in gd. This can be used
to execute arbitary code in programs using the gd library.
http://www.linuxsecurity.com/advisories/trustix_advisory-5181.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
