[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Linux Advisory Watch - August 16th 2002




+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  August 16th, 2002                        Volume 3, Number 33a |
+----------------------------------------------------------------+
 
  Editors:     Dave Wreski                Benjamin Thomas
               dave@linuxsecurity.com     ben@linuxsecurity.com
 
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for cvs, mailman, hylafax,
interchange, l2tpd, xinetd, glibc, modssl, chfn, libpng, bind, xchat,
shareutils, tcl/tk, mm, and ipppd.  The vendors include Caldera, Debian,
Gentoo, Mandrake, OpenBSD, Red Hat, SuSE, Trustix, and Yellow Dog.

* Developing with open standards?  * Demanding High Performance?

Catch the Oracle9i JDeveloper wave now and check out how built-in
profilers and CodeCoach make your Java code tighter and faster than ever
before.

 --> Download your FREE copy of Oracle9i JDeveloper Today. 
 --> http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=oracle4


FEATURE: Centralized File-Integrity With Samhain Part I There is no silver
bullet in security; rather, due diligence and knowledge are the best
foundations for solid management of risk. The focus of this document is
distinctively on workstations: those located in a corporate environment,
those situated at the house, and the myriad of situations that fall
somewhere in-between.

http://www.linuxsecurity.com/feature_stories/feature_story-116.html


)) FREE Apache SSL Guide from Thawte  ((  
Are you worried about your web server security? Click here to get a
FREE Thawte Apache SSL Guide and find the answers to all your Apache
SSL security needs.  
       ---->  http://www.gothawte.com/rd363.html <-----

 
+---------------------------------+
|  Package: cvs                   | ----------------------------//
|  Date: 08-06-2002               |
+---------------------------------+
  
Description: 
There is a locally exploitable vulnerability in the cvsd program. 

Vendor Alerts: 

 Caldera: 
 ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/
 CSSA-2002-035.0/RPMS/ 
 cvs-1.11-8.i386.rpm 
 446921ba85f2f865d698060ab344d189  

 cvs-doc-ps-1.11-8.i386.rpm 
 11ddbffdbf9310b24364b2b91d851acc  

 Caldera Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/caldera_advisory-2267.html 
 
 

+---------------------------------+
|  Package: mailman               | ----------------------------//
|  Date: 08-16-2002               |
+---------------------------------+

Description: 
A cross-site scripting vulnerability was discovered in mailman, a
software to manage electronic mailing lists.  When a properly crafted
URL is accessed with Internet Explorer (other browsers don't seem to
be affected), the resulting webpage is rendered similar to the real
one, but the javascript component is executed as well, which could be
used by an attacker to get access to sensitive information. 

Vendor Alerts: 
 Debian Intel IA-32 architecture: 

 http://security.debian.org/pool/updates/main/m/mailman/ 
 mailman_1.1-10.1_i386.deb 
 Size/MD5 checksum:   328680 58aab5cf2c13a03952f22097c7224e01 

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-2268.html
 

  
  
+---------------------------------+
|  Package: hylafax               | ----------------------------//
|  Date: 08-12-2002               |
+---------------------------------+  

Description: 
A set of problems have been discovered in Hylafax, a flexible
client/server fax software distributed with many GNU/Linux 
distributions. 

Vendor Alerts: 

 Debian Intel IA-32 architecture: 

 http://security.debian.org/pool/updates/main/h/hylafax/ 
 hylafax-client_4.0.2-14.3_i386.deb 
 Size/MD5 checksum:   398406 9e30d17b4645472b1b04bab0962c1080 

 http://security.debian.org/pool/updates/main/h/hylafax/ 
 hylafax-server_4.0.2-14.3_i386.deb 
 Size/MD5 checksum:   877434 1ae774e2115c983eed9fda2b6c19aa84 

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-2277.html
 

+---------------------------------+
|  Package: interchange           | ----------------------------//
|  Date: 08-12-2002               |
+---------------------------------+  

Description: 
A problem has been discovered in Interchange, an e-commerce and
general HTTP database display system, which can lead to an attacker
being able to read any file to which the user of the Interchange
daemon has sufficient permissions, when Interchange runs in "INET
mode" (internet domain socket).  

Vendor Alerts: 

 Debian Intel IA-32 architecture 

 http://security.debian.org/pool/updates/main/i/interchange/ 
 interchange_4.8.3.20020306-1.woody.1_i386.deb 
 Size/MD5 checksum:   852744 7a40058ecc9119c740826b3dbc9660d0  

 http://security.debian.org/pool/updates/main/i/interchange/ 
 libapache-mod-interchange_4.8.3.20020306-1.woody.1_i386.deb 
 Size/MD5 checksum:    13156 234c7d614aa28de64d5d33dcb49e654d 

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-2280.html 
 

 
+---------------------------------+
|  Package: l2tpd                 | ----------------------------//
|  Date: 08-16-2002               |
+---------------------------------+  

Description: 
Current versions of l2tpd, a layer 2 tunneling client/server program,
forgot to initialize the random generator which made it vulnerable
since all generated random number were 100% guessable. When dealing
with the size of the value in an attribute value pair, too many bytes
were able to be copied, which could lead into the vendor field being
overwritten. 
  
Vendor Alerts: 

 Debian Intel IA-32 architecture 
  
 http://security.debian.org/pool/updates/ 
 main/l/l2tpd/l2tpd_0.67-1.1_i386.deb 
 Size/MD5 checksum:    88130 bbd745997296fd61edc9777de121c9a5

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-2281.html 

  

+---------------------------------+
|  Package: xinetd                | ----------------------------//
|  Date: 08-13-2002               |
+---------------------------------+  

Description: 
Solar Designer found a vulnerability in xinetd, a replacement for the
BSD derived inetd.  File descriptors for the signal pipe introduced
in version 2.3.4 are leaked into services started from xinetd. The
descriptors could be used to talk to xinetd resulting in crashing it
entirely.  This is usually called a denial of service. 

Vendor Alerts: 

 Debian Intel IA-32 architecture 
 http://security.debian.org/pool/updates/ 
 main/x/xinetd/xinetd_2.3.4-1.2_i386.deb 

 Size/MD5 checksum:   114380 82e2f7248fcec69f1a4390d4e22c799d 
  
 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-2282.html 
 
 Gentoo 
 http://www.linuxsecurity.com/advisories/other_advisory-2285.html 

  
  
+---------------------------------+
|  Package: glibc                 | ----------------------------//
|  Date: 08-13-2002               |
+---------------------------------+  

Description: 
An integer overflow bug has been discovered in the RPC library used
by GNU libc, which is derived from the SunRPC library. This bug
could be exploited to gain unauthorized root access to software
linking to this code.  The packages below also fix integer overflows
in the malloc code.  They also contain a fix from Andreas Schwab to
reduce linebuflen in parallel to bumping up the buffer pointer in the
NSS DNS code. 

Vendor Alerts: 

 Debian Intel IA-32 architecture 
 PLEASE SEE VENDOR ADVISORY FOR UPDATE

 Debian Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/debian_advisory-2283.html 

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2286.html 


 Trustix Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2287.html 

 Red Hat Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/redhat_advisory-2284.html
 

  
  
+---------------------------------+
|  Package: modssl                | ----------------------------//
|  Date: 08-08-2002               |
+---------------------------------+  

Description: 
Frank Denis discovered an off-by-one error in mod_ssl dealing 
with the handling of older configuration directorives (the
rewrite_command hook). A malicious user could use a
specially-crafted .htaccess file to execute arbitrary commands as the
apache user or execute a DoS against the apache child processes. 

Vendor Alerts: 
 Mandrake Linux 8.2: 
 8.2/RPMS/mod_ssl-2.8.7-3.1mdk.i586.rpm 
 406eee7d9607cf40f5cea3376fe38697   
 http://www.mandrakesecure.net/en/ftp.php

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2270.html 

 
 Yellow Dog Linux: 
 http://www.linuxsecurity.com/advisories/other_advisory-2275.html 



+---------------------------------+
|  Package: chfn                  | ----------------------------//
|  Date: 08-08-2002               |
+---------------------------------+  

Description: 
Michal Zalewski found a vulnerability in the util-linux package with
the chfn utility.  This utility allows users to modify some
information in the /etc/passwd file, and is installed setuid root. 
Using a carefully crafted attack sequence, an attacker can exploit a
complex  file locking and modification race that would allow them to
make changes to the /etc/passwd file.  To successfully exploit this
vulnerability and obtain privilege escalation, there is a need for
some administrator interaction, and the password file must over over
4kb in size; the attacker's entry cannot be in the last 4kb of the
file. 

Vendor Alerts: 

 Mandrake Linux 8.2: 
 8.2/RPMS/losetup-2.11n-4.3mdk.i586.rpm 
 f137a274c2969ca3b893e96902dee893  

 8.2/RPMS/mount-2.11n-4.3mdk.i586.rpm 
 c074a07a7f3c3fd92b0be2ebd02dff93   

 8.2/RPMS/util-linux-2.11n-4.3mdk.i586.rpm 
 420c1537cb8260f984125fd6311dc3d1   
 http://www.mandrakesecure.net/en/ftp.php

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2269.html 




+---------------------------------+
|  Package: libpng                | ----------------------------//
|  Date: 08-13-2002               |
+---------------------------------+  

Description: 
A buffer overflow was found in the in the progressive reader of the
PNG library when the PNG datastream contains more IDAT data than
indicated by the IHDR chunk.  These deliberately malformed
datastreams would crash applications thus potentially allowing an
attacker to execute malicious code.  Many programs make use of the
PNG libraries, including web browsers. This overflow is corrected in
versions 1.0.14 and 1.2.4 of the PNG library. 

Vendor Alerts: 

 Mandrake Linux 8.2: 
 8.2/RPMS/libpng3-1.2.4-3.1mdk.i586.rpm 
 a356a7d29a489d4a4cf69948820818cc   

 8.2/RPMS/libpng3-devel-1.2.4-3.1mdk.i586.rpm 
 d82469cdfdbbab17d95920646f9ab128   

 8.2/RPMS/libpng3-static-devel-1.2.4-3.1mdk.i586.rpm 
 300ca08369f671487bb8c3da92880351   
 http://www.mandrakesecure.net/en/ftp.php

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2288.html 




+---------------------------------+
|  Package: bind                  | ----------------------------//
|  Date: 08-15-2002               |
+---------------------------------+  

Description: 
The error condition can be remotely exploited by a special DNS
packet. This can only be used to create a Denial of Service on the
server; the error condition is correctly detected, so it will not
allow an attacker to execute arbitrary code on the server. 

Vendor Alerts: 

 Mandrake Linux 8.2: 
 8.2/RPMS/bind-9.2.1-2.2mdk.i586.rpm 
 c871ab517a1f789a134337dc580ab803   

 8.2/RPMS/bind-devel-9.2.1-2.2mdk.i586.rpm 
 15cdebfe14d8a213101d758137364c72   

 8.2/RPMS/bind-utils-9.2.1-2.2mdk.i586.rpm 
 551bb255ed07bb0b257875190c866b42   

 8.2/RPMS/caching-nameserver-8.1-3.1mdk.noarch.rpm 
 18145fb072aaad5a7272a00ea4e0c411   
 http://www.mandrakesecure.net/en/ftp.php

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2289.html 

 
 Red Hat i386: 
 ftp://updates.redhat.com/7.3/en/os/i386/bind-9.2.1-1.7x.2.i386.rpm  

 8636bdf02a5c862a8e7773447ced2a4c 

 ftp://updates.redhat.com/7.3/en/os/i386/ 
 bind-devel-9.2.1-1.7x.2.i386.rpm  
 35007eaef20eb645d6ca7c3e02cb10d8 

 ftp://updates.redhat.com/7.3/en/os/i386/ 
 bind-utils-9.2.1-1.7x.2.i386.rpm 
 b467c81cea2c6653df6bc816401b598c 

 Red Hat Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/redhat_advisory-2271.html 
 

 Yellow Dog Linux: 
 http://www.linuxsecurity.com/advisories/other_advisory-2273.html 

  


+---------------------------------+
|  Package: xchat                 | ----------------------------//
|  Date: 08-15-2002               |
+---------------------------------+  

Description: 
In versions of the xchat IRC client prior to version 1.8.9, xchat
does not filter the response from an IRC server when a /dns query is
executed.  xchat resolves hostnames by passing the configured
resolver and hostname to a shell, so an IRC server may return a
malicious response formatted so that arbitrary commands are executed
with the privilege of the user running xchat. 

Vendor Alerts: 

 Mandrake Linux 8.2: 
 8.2/RPMS/xchat-1.8.9-1.1mdk.i586.rpm 
 07acd74eb2ba9e6e993c080f3f62d1db   
 http://www.mandrakesecure.net/en/ftp.php

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2290.html 




+---------------------------------+
|  Package: shareutils            | ----------------------------//
|  Date: 08-15-2002               |
+---------------------------------+  

Description: 
The uudecode utility creates output files without checking to see if
it is about to write to a symlink or pipe.  This could be exploited
by a local attacker to overwrite files or lead to privilege
escalation if users decode data into share directories, such as /tmp.
 This update fixes this vulnerability by checking to see if the
destination output file is a symlink or pipe. 

Vendor Alerts: 

 Mandrake Linux 8.2:  
 8.2/RPMS/sharutils-4.2.1-8.1mdk.i586.rpm 
 933544c2edfed6f26eb5e6a9105dd3f1   

 http://www.mandrakesecure.net/en/ftp.php

 Mandrake Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/mandrake_advisory-2291.html 




+---------------------------------+ (OpenBSD)
|  Package: boundary condition    | ----------------------------//
|  Date: 08-14-2002               |
+---------------------------------+  

Description: 
Local users can obtain complete system privileges and circumvent the
extra security measures provided by the securelevel system. 

Vendor Alerts: 

 OpenBSD: 
 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/014_scarg.patch


 OpenBSD Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/openbsd_advisory-2279.html 



+---------------------------------+
|  Package: mm                    | ----------------------------//
|  Date: 08-10-2002               |
+---------------------------------+  

Description: 
The MM library provides an abstraction layer which allows related
processes to share data easily. On systems where shared memory or
other inter-process communication mechanisms are not available, the
MM library emulates them using temporary files. MM is used in [Yellow
Dog] Linux to providing shared memory pools to Apache modules.
Versions of MM up to and including 1.1.3 open temporary files in an
unsafe manner, allowing a malicious local user to cause an
application which uses MM to overwrite any file to which it has write
access. 

Vendor Alerts: 

 Yellow Dog Linux: 
 ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/ 
 ppc/mm-1.1.3-8.2.3a.ppc.rpm 
 730e6a5ed0ecd367bdef2ebb4fa8c0ca

 Yellow Dog Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/other_advisory-2274.html 

  


+---------------------------------+
|  Package: tcl/tk                | ----------------------------//
|  Date: 08-10-2002               |
+---------------------------------+  

Description: 
The tcl/tk package searched for its libraries in the current working
directory before other directories, which could allow local users to
execute arbitrary code by writing Trojan horse library that is under
a user-controlled directory. 
  
Vendor Alerts: 

 Red Hat Linux: 
 PLEASE SEE VENDOR ADVISORY FOR UPDATE

 Red Hat Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/redhat_advisory-2278.html 



+---------------------------------+
|  Package: ipppd                 | ----------------------------//
|  Date: 08-10-2002               |
+---------------------------------+  

Description: 
The i4l package contains several programs for ISDN maintenance and
connectivity on Linux. The ipppd program which is part of the package
contained various buffer overflows and format string bugs. Since
ipppd is installed setuid to root and executable by users of group
'dialout' this may allow attackers with appropriate group membership
to execute arbitrary commands as root. 

Vendor Alerts: 

 SuSE: 
 ftp://ftp.suse.com/pub/suse/i386/update/ 
 7.3/n1/i4l-2002.7.23-0.i386.rpm 
 1d5fff19d48eb1b0652c21c139fdf53d

 SuSE Vendor Advisory: 
 http://www.linuxsecurity.com/advisories/suse_advisory-2276.html 



------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Video for Linux]     [Bugtraq]     [USB]     [Fedora Security]

Add to Google Powered by Linux