+---------------------------------------------------------------------+ | LinuxSecurity.com Weekly Newsletter | | May 25th 2007 Volume 8, Number 21a | +---------------------------------------------------------------------+ Editors: Dave Wreski Benjamin D. Thomas dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week advisories were released for samba, xfree86, php5, clamav, gforge-plugin-scmcvs, tomcat5, phpwiki, mod_security, pptpd, fetchmail, squirrelmail, evolution, tetex, ipsec-tools, vixie-cron, libpng, gimp, Quagga, and vim. The distributors include Debian, Fedora, Gentoo, Mandriva, Red Hat, SuSE, and Ubuntu. --- Vyatta - Linux-based Router, Firewall & VPN Vyatta software and appliances combine the features, performance and reliability of enterprise-class networking gear with the cost-savings and flexibility of linux-based solutions. Vyatta empowers you to replace overpriced proprietary router, firewall and VPN equipment with commercially supported open-source solutions. Free Vyatta Software & Live Webinars >> http://www.linuxsecurity.com/ads/adclick.php?bannerid=28 --- * EnGarde Secure Linux v3.0.13 Now Available Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.13 (Version 3.0, Release 13). This release includes several bug fixes and feature enhancements to the SELinux policy and several updated packages. http://wiki.engardelinux.org/index.php/ReleaseNotes3.0.13 --- RFID with Bio-Smart Card in Linux In this paper, we describe the integration of fingerprint template and RF smart card for clustered network, which is designed on Linux platform and Open source technology to obtain biometrics security. Combination of smart card and biometrics has achieved in two step authentication where smart card authentication is based on a Personal Identification Number (PIN) and the card holder is authenticated using the biometrics template stored in the smart card that is based on the fingerprint verification. http://www.linuxsecurity.com/content/view/125052/171/ --- Packet Sniffing Overview The best way to secure you against sniffing is to use encryption. While this won't prevent a sniffer from functioning, it will ensure that what a sniffer reads is pure junk. http://www.linuxsecurity.com/content/view/123570/49/ -------- --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Debian: New samba packages fix multiple vulnerabilities 17th, May, 2007 Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. http://www.linuxsecurity.com/content/view/128228 * Debian: New xfree86 packages fix several vulnerabilities 17th, May, 2007 Several vulnerabilities have been discovered in the X Window System, which may lead to privilege escalation. Sean Larsson discovered an integer overflow in the XC-MISC extension, which might lead to denial of service or local privilege escalation. http://www.linuxsecurity.com/content/view/128235 * Debian: New php5 packages fix several vulnerabilities 19th, May, 2007 Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: http://www.linuxsecurity.com/content/view/128251 * Debian: New clamav packages fix denial of service vulnerability 21st, May, 2007 On 25 April, the Debian Security Team released clamav 0.90.1-3etch1, an update to the Clam anti-virus toolkit, to address several vulnerabilities. Unfortunately, there was an error in the updated packages and CVE-2007-2029, a file descriptor leak in the PDF document handler, was not properly fixed in Debian 4.0 (etch) or the Debian testing distribution (lenny). This problem has been fixed in version 0.90.1-3etch2 for Debian 4.0 (etch). http://www.linuxsecurity.com/content/view/128262 * Debian: New php4 packages fix privilege escalation 21st, May, 2007 It was discovered that the ftp extension of PHP, a server-side, HTML-embedded scripting language performs insufficient input sanitising, which permits an attacker to execute arbitrary FTP commands. This requires the attacker to already have access to the FTP server. http://www.linuxsecurity.com/content/view/128263 * Debian: New gforge-plugin-scmcvs packages fix arbitrary shell command execution 24th, May, 2007 Bernhard R. Link discovered that the CVS browsing interface of Gforge, a collaborative development tool, performs insufficient escaping of URLs, which allows the execution of arbitrary shell commands with the privileges of the www-data user. http://www.linuxsecurity.com/content/view/128325 +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ * Fedora Core 6 Update: tomcat5-5.5.23-0jpp.2.fc6 21st, May, 2007 Several security issues were reported to be fixed in releases prior to tomcat5.5.23. Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. http://www.linuxsecurity.com/content/view/128271 * Fedora Core 6 Update: jakarta-commons-modeler-1.1-8jpp.2.fc6 21st, May, 2007 Several security issues were reported to be fixed in releases prior to tomcat5.5.23 Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. http://www.linuxsecurity.com/content/view/128272 * Fedora Core 5 Update: samba-3.0.24-6.fc5 21st, May, 2007 Security bugs where found in samba-3.0.24-6.fc5. This update fixes nmbd segfault in some rare conditions. Also fixes a bug introduced with CVE-2007-2444 in some configurations. fixes CVE-2007-0452 Samba smbd denial of service http://www.linuxsecurity.com/content/view/128278 * Fedora Core 5 Update: php-5.1.6-1.6 24th, May, 2007 This update fixes a number of security issues in PHP. A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. http://www.linuxsecurity.com/content/view/128317 +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ * Gentoo: PhpWiki Remote execution of arbitrary code 17th, May, 2007 A vulnerability has been discovered in PhpWiki allowing for the remote execution of arbitrary code. A remote attacker could upload a specially crafted PHP file to the vulnerable server, resulting in the execution of arbitrary PHP code with the privileges of the user running PhpWiki. http://www.linuxsecurity.com/content/view/128229 * Gentoo: Apache mod_security Rule bypass 17th, May, 2007 A vulnerability has been discovered in mod_security, allowing a remote attacker to bypass rules.A remote attacker could send a specially crafted POST request, possibly bypassing the module ruleset and leading to the execution of arbitrary code in the scope of the web server with the rights of the user running the web server. http://www.linuxsecurity.com/content/view/128230 * Gentoo: PPTPD Denial of Service attack 20th, May, 2007 PPTPD is a Point-to-Point Tunnelling Protocol Daemon for Linux. A vulnerability has been reported in PPTPD which could lead to a Denial of Service. http://www.linuxsecurity.com/content/view/128254 +---------------------------------+ | Distribution: Mandriva | ----------------------------// +---------------------------------+ * Mandriva: Updated fetchmail packages fix potential APOP vulnerabilities 17th, May, 2007 The APOP functionality in fetchmail's POP3 client implementation was validating the APOP challenge too lightly, accepting random garbage as a POP3 server's APOP challenge, rather than insisting it conform to RFC-822 specifications. Updated packages have been patched to prevent these issues, however it should be noted that the APOP MD5-based authentication scheme should no longer be considered secure. http://www.linuxsecurity.com/content/view/128238 * Mandriva: Updated squirrelmailpackages fix vulnerabilities 19th, May, 2007 A number of HTML filtering bugs were found in SquirrelMail that could allow an attacker to inject arbitrary JavaScript leading to cross-site scripting attacks by sending an email viewed by a user within SquirrelMail (CVE-2007-1262). http://www.linuxsecurity.com/content/view/128252 * Mandriva: Updated evolution packages fix APOP weakness 20th, May, 2007 A weakness in the way Evolution processed certain APOP authentication requests was discovered. A remote attacker could potentially obtain certain portions of a user's authentication credentials by sending certain responses when evolution-data-server attempted to authenticate against an APOP server. The updated packages have been patched to prevent this issue. http://www.linuxsecurity.com/content/view/128253 * Mandriva: Updated tetex packages fix vulnerabilities 23rd, May, 2007 Buffer overflow in the gdImageStringFTEx function in gdft.c in the GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font. Tetex 3.x uses an embedded copy of the gd source and may also be affected by this issue. http://www.linuxsecurity.com/content/view/128312 * Mandriva: Updated samba packages fix multiple 24th, May, 2007 A number of bugs were discovered in the NDR parsing support in Samba that is used to decode MS-RPC requests. A remote attacker could send a carefully crafted request that would cause a heap overflow, possibly leading to the ability to execute arbitrary code on the server. http://www.linuxsecurity.com/content/view/128313 +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ * RedHat: Moderate: ipsec-tools security update 17th, May, 2007 Updated ipsec-tools packages that fix a denial of service flaw in racoon are now available for Red Hat Enterprise Linux 5. A denial of service flaw was found in the ipsec-tools racoon daemon. It was possible for a remote attacker, with knowledge of an existing ipsec tunnel, to terminate the ipsec connection between two machines. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128231 * RedHat: Moderate: vixie-cron security update 17th, May, 2007 The vixie-cron package contains the Vixie version of cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. Raphael Marichez discovered a denial of service bug in the way vixie-cron verifies crontab file integrity. A local user with the ability to create a hardlink to /etc/crontab can prevent vixie-cron from executing certain system cron jobs. http://www.linuxsecurity.com/content/view/128232 * RedHat: Moderate: evolution security update 17th, May, 2007 Updated evolution packages that fix a security bug are now available for Red Hat Enterprise Linux 3 and 4. A flaw was found in the way Evolution processed certain APOP authentication requests. A remote attacker could potentially acquire certain portions of a user's authentication credentials by sending certain responses when evolution-data-server attempted to authenticate against an APOP server. http://www.linuxsecurity.com/content/view/128233 * RedHat: Moderate: squirrelmail security update 17th, May, 2007 A new squirrelmail package that fixes security issues is now available for Red Hat Enterprise Linux 3, 4 and 5.Several HTML filtering bugs were discovered in SquirrelMail. An attacker could inject arbitrary JavaScript leading to cross-site scripting attacks by sending an e-mail viewed by a user within SquirrelMail. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128234 * RedHat: Moderate: libpng security update 17th, May, 2007 Updated libpng packages that fix security issues are now available for Red Hat Enterprise Linux.A flaw was found in the handling of malformed images in libpng. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash when the file was manipulated. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128236 * RedHat: Moderate: gimp security update 21st, May, 2007 Updated gimp packages that fix a security issue are now available for Red Hat Enterprise Linux.Marsu discovered a stack overflow bug in The GIMP RAS file loader. An attacker could create a carefully crafted file that could cause The GIMP to crash or possibly execute arbitrary code if the file was opened by a victim. This update has been rated as having moderate security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128256 * RedHat: Important: tomcat security update 21st, May, 2007 Updated tomcat packages that fix multiple security issues are now available for Red Hat Application Server v2.Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. This update has been rated as having important security impact by the Red Hat Security Response Team. http://www.linuxsecurity.com/content/view/128257 * RedHat: Important: tomcat security update 24th, May, 2007 Updated tomcat packages that fix multiple security issues and a bug are now available for Red Hat Developer Suite 3. Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. http://www.linuxsecurity.com/content/view/128320 +---------------------------------+ | Distribution: SuSE | ----------------------------// +---------------------------------+ * SuSE: samba security problems 22nd, May, 2007 The Samba server was affected by several security problems which have been fixed. Specially crafted MS-RPC packets could overwrite heap memory and therefore could potentially be exploited to execute code. Authenticated users could leverage specially crafted MS-RPC packets to pass arguments unfiltered to /bin/sh. http://www.linuxsecurity.com/content/view/128283 * SuSE: php4,php5 security problems 23rd, May, 2007 Numerous numerous vulnerabilities have been fixed in PHP. Most of them were made public during the "Month of PHP Bugs" project by Stefan Esser and we thank Stefan for his reports. The vulnerabilities potentially lead to crashes, information leaks or even execution of malicious code. http://www.linuxsecurity.com/content/view/128300 +---------------------------------+ | Distribution: Debian | ----------------------------// +---------------------------------+ * Ubuntu: Quagga vulnerability 17th, May, 2007 It was discovered that Quagga did not correctly verify length information sent from configured peers. Remote malicious peers could send a specially crafted UPDATE message which would cause bgpd to abort, leading to a denial of service. http://www.linuxsecurity.com/content/view/128237 * Ubuntu: pptpd regression 21st, May, 2007 USN-459-1 fixed vulnerabilities in pptpd. However, a portion of the fix caused a regression in session establishment under Dapper for certain PPTP clients. This update fixes the problem. We apologize for the inconvenience. http://www.linuxsecurity.com/content/view/128267 * Ubuntu: Samba regression 22nd, May, 2007 USN-460-1 fixed several vulnerabilities in Samba. The upstream changes for CVE-2007-2444 had an unexpected side-effect in Feisty. Paul Griffith and Andrew Hogue discovered that Samba did not fully drop root privileges while translating SIDs. A remote authenticated user could issue SMB operations during a small window of opportunity and gain root privileges. (CVE-2007-2444) http://www.linuxsecurity.com/content/view/128291 * Ubuntu: PHP vulnerabilities 22nd, May, 2007 A flaw was discovered in the FTP command handler in PHP. Commands were not correctly filtered for control characters. An attacker could issue arbitrary FTP commands using specially crafted arguments. http://www.linuxsecurity.com/content/view/128293 * Ubuntu: vim vulnerability 22nd, May, 2007 Tomas Golembiovsky discovered that some vim commands were accidentally allowed in modelines. By tricking a user into opening a specially crafted file in vim, an attacker could execute arbitrary code with user privileges. http://www.linuxsecurity.com/content/view/128294 ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------