+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| September 2nd, 2005 Volume 6, Number 36a |
+---------------------------------------------------------------------+
Editors: Dave Wreski Benjamin D. Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for courier, libpman-ldap, simple
proxy, backup-manager, kismet, php, phpldapadmin, maildrop, pstotext,
sqwebmail, polygen, audit, freeradius, openmotif, freeradius, openmotif,
php, ntp, openoffice, lesstif, libsoup, evolution, kernel, selinux-
policy-targed, policycoreutils, xen, dbus, evince, poppler, phpWiki,
phpGroupWare, phpWebSite, pam_ldap, and mplayer. The distributors
include Debian, Fedora, Gentoo, and Red Hat.
---
## Master of Science in Information Security ##
Earn your Master of Science in Information Security online from Norwich
University. Designated a "Center of Excellence", the program offers a
solid education in the management of information assurance, and the
unique case study method melds theory into practice. Using today's
e-Learning technology, you can earn this esteemed degree, without
disrupting your career or home life.
LEARN MORE:
http://www.msia.norwich.edu/linux_en
---
Introduction: IP Spoofing, Part II
IP Fragment Attacks:
When packets are too large to be sent in a single IP packet, due
to interface hardware limitations for example, an intermediate
router can split them up unless prohibited by the Don't Fragment
flag. IP fragmentation occurs when a router receives a packet
larger than the MTU (Maximum Transmission Unit) of the next
network segment. All such fragments will have the same
Identification field value, and the fragment offset indicates
the position of the current fragment in the context of the
pre-split up packet. Intermediate routers are not expected
to re-assemble the fragments. The final destination will
reassemble all the fragments of an IP packet and pass it to
higher protocol layers like TCP or UDP.
Attackers create artificially fragmented packets in order to
circumvent firewalls that do not perform packet reassembly.
These only consider the properties of each individual fragment,
and let the fragments through to final destination. One such
attack involving fragments is known as the tiny fragment
attack.
Two TCP fragments are created. The first fragment is so small
that it does not even include the full TCP header, particularly
the destination port number. The second fragment contains the
remainder of the TCP header, including the port number. Another
such type of malicious fragmentation involves fragments that
have illegal fragment offsets.
A fragment offset value gives the index position of this
fragment's data in a reassembled packet. The second fragment
packet contains an offset value, which is less than the
length of the data in the first packet. E.g..
If the first fragment was 24 bytes long, the second fragment
may claim to have an offset of 20. Upon reassembly, the data
in the second fragment overwrites the last four bytes of the
data from the first fragment. If the unfragmented packet
were TCP, then the first fragment would contain the TCP
header overwriting the destination port number.
In the IP layer implementations of nearly all OS, there are
bugs in the reassembly code. An attacker can create and
send a pair of carefully crafted but malformed IP packets
that in the process of reassembly cause a server to panic
and crash. The receiving host attempts to reassemble such
a packet, it calculates a negative length for the second
fragment. This value is passed to a function (such as
memcpy ()), which should do a copy from/ to memory, which
takes the negative number to be an enormous unsigned
(positive) number.
Another type of attack involves sending fragments that if
reassembled will be an abnormally large packet, larger than
the maximum permissible length for an IP packet. The attacker
hopes that the receiving host will crash while attempting to
reassemble the packet. The Ping of Death used this attack.
It creates an ICMP echo request packet, which is larger
than the maximum packet size of 65,535 bytes.
READ ENTIRE ARTICLE:
http://www.linuxsecurity.com/content/view/120225/49/
----------------------
Linux File & Directory Permissions Mistakes
One common mistake Linux administrators make is having file and directory
permissions that are far too liberal and allow access beyond that which
is needed for proper system operations. A full explanation of unix file
permissions is beyond the scope of this article, so I'll assume you are
familiar with the usage of such tools as chmod, chown, and chgrp. If
you'd like a refresher, one is available right here on linuxsecurity.com.
http://www.linuxsecurity.com/content/view/119415/49/
---
Buffer Overflow Basics
A buffer overflow occurs when a program or process tries to store more
data in a temporary data storage area than it was intended to hold. Since
buffers are created to contain a finite amount of data, the extra
information can overflow into adjacent buffers, corrupting or overwriting
the valid data held in them.
http://www.linuxsecurity.com/content/view/119087/49/
---
Review: The Book of Postfix: State-of-the-Art Message Transport
I was very impressed with "The Book of Postfix" by authors Ralf
Hildebrandt and Pattrick Koetter and feel that it is an incredible
Postfix reference. It gives a great overall view of the operation
and management of Postfix in an extremely systematic and practical
format. It flows in a logical manner, is easy to follow and the
authors did a great job of explaining topics with attention paid
to real world applications and how to avoid many of the associated
pitfalls. I am happy to have this reference in my collection.
http://www.linuxsecurity.com/content/view/119027/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New courier packages fix denial of service
25th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120213
* Debian: New libpam-ldap packages fix authentication bypass
25th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120222
* Debian: New simpleproxy packages fix arbitrary code execution
26th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120227
* Debian: New backup-manager package fixes several vulnerabilities
26th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120228
* Debian: New kismet packages fix arbitrary code execution
29th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120243
* Debian: New PHP 4 packages fix several vulnerabilities
29th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120248
* Debian: New phpldapadmin packages fix unauthorised access
30th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120253
* Debian: New maildrop packages fix arbitrary group mail command
execution
30th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120254
* Debian: New pstotext packages fix arbitrary command execution
31st, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120264
* Debian: New sqwebmail packages fix cross-site scripting
1st, September, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120273
* Debian: New Mozilla Firefox packages fix several vulnerabilities
1st, September, 2005
Update Package.
http://www.linuxsecurity.com/content/view/120278
* Debian: New polygen packages fix denial of service
1st, September, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120280
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
* Fedora Core 4 Update: audit-1.0.3-1.fc4
25th, August, 2005
This update corrects a flaw where the devmajor, devminor, success,
exit, and inode values for syscall rules was getting set to 0 before
sending to the kernel.
http://www.linuxsecurity.com/content/view/120218
* Fedora Core 3 Update: freeradius-1.0.1-2.FC3.1
25th, August, 2005
Update package.
http://www.linuxsecurity.com/content/view/120219
* Fedora Core 3 Update: openmotif-2.2.3-9.FC3.1
25th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120220
* Fedora Core 3 Update: php-4.3.11-2.7
25th, August, 2005
This update includes the latest upstream version of the PEAR XML_RPC
package, which fixes a security issue in request parsing in the
XML_RPC Server code. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2005-2498 to this
issue.
http://www.linuxsecurity.com/content/view/120221
* Fedora Core 4 Update: php-5.0.4-10.4
25th, August, 2005
This update includes the latest upstream version of the PEAR XML_RPC
package, which fixes a security issue in request parsing in the
XML_RPC Server code. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2005-2498 to this
issue.
http://www.linuxsecurity.com/content/view/120223
* Fedora Core 3 Update: ntp-4.2.0.a.20040617-5.FC3
26th, August, 2005
When starting xntpd with the -u option and specifying the group by
using a string not a numeric gid the daemon uses the gid of the user
not the group. This problem is now fixed by this update.
http://www.linuxsecurity.com/content/view/120232
* Fedora Core 4 Update: openoffice.org-1.9.125-1.1.0.fc4
26th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120233
* Fedora Core 3 Update: lesstif-0.93.36-6.FC3.2
26th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120234
* Fedora Core 4 Update: libsoup-2.2.3-4.FC4
26th, August, 2005
Fixes a problem with NTLM authentication in
evolution-connector with usernames of the form DOMAINUSERNAME
http://www.linuxsecurity.com/content/view/120235
* Fedora Core 3 Update: libsoup-2.2.2-2.FC3
26th, August, 2005
Fixes a problem with NTLM authentication in
evolution-connector with usernames of the form DOMAINUSERNAME
http://www.linuxsecurity.com/content/view/120236
* Fedora Core 3 Update: evolution-connector-2.0.4-2
26th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120237
* Fedora Core 4 Update: kernel-2.6.12-1.1447_FC4
28th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120239
* Fedora Core 3 Update: kernel-2.6.12-1.1376_FC3
28th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120240
* Fedora Core 4 Update: selinux-policy-targeted-1.25.4-10
29th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120245
* Fedora Core 4 Update: policycoreutils-1.23.11-3.2
29th, August, 2005
Fix updates to not travers NFS home dirs.
http://www.linuxsecurity.com/content/view/120247
* Fedora Core 4 Update: xen-2-20050823
29th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120251
* Fedora Core 4 Update: dbus-0.33-3.fc4.1
29th, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120252
* Fedora Core 4 Update: evince-0.4.0-1.1
31st, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120270
* Fedora Core 4 Update: poppler-0.4.1-1.1
31st, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120271
* Fedora Core 4 Update: xorg-x11-6.8.2-37.FC4.45
31st, August, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120272
* Fedora Core 4 Update: evince-0.4.0-1.2
1st, September, 2005
Updated package.
http://www.linuxsecurity.com/content/view/120279
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
* Gentoo: Kismet Multiple vulnerabilities
26th, August, 2005
Kismet is vulnerable to multiple issues potentially resulting in the
execution of arbitrary code.
http://www.linuxsecurity.com/content/view/120231
* Gentoo: Apache 2.0 Denial of Service vulnerability
25th, August, 2005
A bug in Apache may allow a remote attacker to perform a Denial of
Service attack.
http://www.linuxsecurity.com/content/view/120208
* Gentoo: Tor Information disclosure
25th, August, 2005
A flaw in Tor leads to the disclosure of information and the loss of
anonymity, integrity and confidentiality.
http://www.linuxsecurity.com/content/view/120209
* Gentoo: libpcre Heap integer overflow
25th, August, 2005
libpcre is vulnerable to a heap integer overflow, possibly leading to
the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/120224
* Gentoo: PhpWiki Arbitrary command execution through XML-RPC
26th, August, 2005
PhpWiki includes PHP XML-RPC code which is vulnerable to arbitrary
command execution.
http://www.linuxsecurity.com/content/view/120229
* Gentoo: lm_sensors Insecure temporary file creation
30th, August, 2005
lm_sensors is vulnerable to linking attacks, potentially allowing a
local user to overwrite arbitrary files.
http://www.linuxsecurity.com/content/view/120260
* Gentoo: phpGroupWare Multiple vulnerabilities
30th, August, 2005
phpGroupWare is vulnerable to multiple issues ranging from
information disclosure to a potential execution of arbitrary code.
http://www.linuxsecurity.com/content/view/120261
* Gentoo: phpWebSite Arbitrary command execution through XML-RPC and
SQL injection
31st, August, 2005
phpWebSite is vulnerable to multiple issues which result in the
execution of arbitrary code and SQL injection.
http://www.linuxsecurity.com/content/view/120267
* Gentoo: pam_ldap Authentication bypass vulnerability
31st, August, 2005
pam_ldap contains a vulnerability that may allow a remote attacker to
gain system access.
http://www.linuxsecurity.com/content/view/120268
* Gentoo: MPlayer Heap overflow in ad_pcm.c
1st, September, 2005
A heap overflow in MPlayer might lead to the execution of arbitrary
code.
http://www.linuxsecurity.com/content/view/120276
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Important: kernel security update
25th, August, 2005
Updated kernel packages that fix a number of security issues as well
as other bugs are now available for Red Hat Enterprise Linux 2.1 (32
bit architectures) This update has been rated as having important
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/120216
* RedHat: Important: kernel security update
25th, August, 2005
Updated kernel packages are now available to correct security issues
and bugs for Red Hat Enterprise Linux version 2.1 (Itanium). This
update has been rated as having important security impact by the Red
Hat Security Response Team.
http://www.linuxsecurity.com/content/view/120217
* RedHat: Important: Evolution security update
29th, August, 2005
Updated evolution packages that fix a format string issue are now
available. This update has been rated as having important security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/120249
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
