Information Security News mailing list archives
Linux Advisory Watch, October 13th 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 13 Oct 2000 16:38:39 -0400
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | October 13th, 2000 Volume 1, Number 24a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com This week, advisories were released for mod_rewrite, mod_php3, tmpwatch, traceroute, boa, esound, usermode, gnorpm, openssh, apache, and cfengine. The vendors include Caldera, Conectiva, Debian, FreeBSD, Immunix, LinuxPPC, Mandrake, SuSE, and Trustix. It is critical that you update all vulnerable packages to reduce the risk of being compromised. Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. -- OpenDoc Publishing -- Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html +---------------------------------+ | Installing a new package: | ----------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing it. +---------------------------------+ | Caldera Advisories | ----------------------------// +---------------------------------+ * Caldera: 'mod_rewrite' vulnerability The Apache HTTP server comes with a module named mod_rewrite which can be used to rewrite URLs presented by the client before further processing. The processing logic in mod_rewrite contains a flaw that allows attackers to view arbitrary files on the server system. In the default configuration shipped with OpenLinux, mod_rewrite is disabled. Package Name: apache-1.3.4-5.i386.rpm ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ MD5 checksum: c01531115e05d0371db7b1ac83c85b3b Package Name: apache-1.3.9-5S.i386.rpm ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/ MD5 checksum: 45bd05d80b8c5ca5ef87da39de9c19dd Package Name: apache-1.3.11-2D.i386.rpm ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ MD5 checksum: c303c215facbe330fd454e502a50e798 Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-783.html +---------------------------------+ | Conectiva Advisories | ----------------------------// +---------------------------------+ * Conectiva: 'mod_php3' format string vulnerability Logging functions in PHP3 are vulnerable to format string attacks that can lead to remote execution of arbitrary code. This vulnerability can only be exploited if the logging functions are enabled, which is *not* the default configuration for this package. This vulnerability also affects PHP4, but it is not shipped in any Conectiva Linux distribution as of this date. Updated Package: Available in Vendor Advisory Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-793.html * Conectiva: 'tmpwatch' local DoS Versions of the tmpwatch package as shipped with Conectiva Linux contain a vulnerability which could lead to a local DoS. These versions, though, are not vulnerable to the local root exploit published earlier because they do not have the fuser option, which appeared only in later versions. Updated Package: tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/ Updated Package: tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/ Updated Package: tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/ Updated Package: tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/ Updated Package: tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/ Updated Package: tmpwatch-2.6.2-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/ Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-771.html * Conectiva: 'traceroute' vulnerability Previous releases of traceroute contained some problems that could be exploited to gain local root access. Updated Package: traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/ Updated Package: traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/ Updated Package: traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/ Updated Package: traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/ Updated Package: traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/ Updated Package: traceroute-1.4a7-2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/ Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-776.html * Conectiva: 'mod_rewrite' vulnerability There are two vulnerabilities in the Apache web server as shipped with Conectiva Linux. 1. Under certain configurations, the mod_rewrite module could be used to access any file on the server, provided that filesystem access rights permitted that. Now the mod_rewrite module makes a one-pass expansion and is no longer vulnerable to this. 2. The other vulnerability is regarding the handling of Host: headers in mass virtual hosting configurations. The check for dot (".") charactes in that header was not complete and could permit access to a parent directory. Updated Package: apache-1.3.6-16cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/ Updated Package: apache-devel-1.3.6-16cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0/i386/ Updated Package: apache-1.3.6-16cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/ Updated Package: apache-devel-1.3.6-16cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/ Updated Package: apache-1.3.9-17cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/ Updated Package: apache-devel-1.3.9-17cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/ Updated Package: apache-1.3.9-17cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/ Updated Package: apache-devel-1.3.9-17cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/ Updated Package: apache-1.3.12-14cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/ Updated Package: apache-doc-1.3.12-14cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/ Updated Package: apache-devel-1.3.12-14cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/ Updated Package: apache-1.3.12-14cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/ Updated Package: apache-doc-1.3.12-14cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/ Updated Package: apache-devel-1.3.12-14cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/ Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-788.html +---------------------------------+ | Debian Advisories | ----------------------------// +---------------------------------+ * Debian: updated 'Boa' packages In versions of boa before 0.94.8.3, it is possible to access files outside of the server's document root by the use of properly constructed URL requests. This problem is fixed in version 0.94.8.3-1, uploaded to Debian's unstabledistribution on October 3, 2000. Fixed packages are also available in proposed-updates and will be included in the next revision of Debian/2.2 (potato). Alpha architecture Package: boa_0.94.8.3-1_alpha.deb http://security.debian.org/dists/potato/updates/main/binary-alpha/ MD5 checksum: 49bb09162ce840153779b5911cca29af Intel ia32 architecture Package: boa_0.94.8.3-1_i386.deb http://security.debian.org/dists/potato/updates/main/binary-i386/ MD5 checksum: e8122856917c02ca23e03cf49fcdc3ed Motorola 680x0 architecture Package: boa_0.94.8.3-1_m68k.deb http://security.debian.org/dists/potato/updates/main/binary-m68k/ MD5 checksum: 1670d6f1e57453e4a22e15175d398c7e PowerPC architecture Package: boa_0.94.8.3-1_powerpc.deb http://security.debian.org/dists/potato/updates/main/binary-powerpc/ MD5 checksum: 9fdb496abcdc24f2234c1930bc9b9913 Sun Sparc architecture Package: boa_0.94.8.3-1_sparc.deb http://security.debian.org/dists/potato/updates/main/binary-sparc/ MD5 checksum: 7f4e1ac3afff1442fec6cd5b92ed2771 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-774.html +---------------------------------+ | FreeBSD Advisories | ----------------------------// +---------------------------------+ * FreeBSD: TCP sequence number predication weakness Systems running insecure protocols which blindly trust a TCP connection which appears to come from a given IP address without requiring other authentication of the originator are vulnerable to spoofing by a remote attacker, potentially yielding privileges or access on the local system. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:52/tcp-iss-3.x.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:52/tcp-iss-3.x.patch.asc ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:52/tcp-iss.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:52/tcp-iss.patch.asc Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-761.html +---------------------------------+ | Immunix Advisories | ----------------------------// +---------------------------------+ * Immunix: 'esound' vulnerability Updated Package: esound-0.2.20-0_StackGuard.i386.rpm http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/ MD5 checksum: ab285ded3a6e451d294ed2f056d7df80 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-766.html * Immunix: 'traceroute' vulnerability Updated Packages: traceroute-1.4a5-24.6x_StackGuard.i386.rpm http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/ MD5 checksum: cb497c4c15ca728056d5e20d4378a3f0 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-767.html * Other: Immunix 'tmpwatch' update Updated Package: tmpwatch-2.6.2-1.6.2_StackGuard.i386.rpm http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/ MD5 checksum: 3fbec19f6691d95a7c142a88d5f07c8d Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-768.html * Immunix: 'usermode' vulnerability Updated Package: usermode-1.36-2.6.x_StackGuard.i386.rpm http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/ MD5 checksum: ae9e90e8008a267149fa079c7af478ea Updated Package: SysVinit-2.78-5_StackGuard.i386.rpm http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/ MD5 checksum: 10f5e461b559bd7ce45572515f212147 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-781.html * Immunix: 'gnorpm' update Updated Package: gnorpm-0.95.1-2.62_StackGuard.i386.rpm http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/ MD5 checksum: ef438ecb8577085a0b9c5da49852b323 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-789.html +---------------------------------+ | LinuxPPC Advisories | ----------------------------// +---------------------------------+ * LinuxPPC: Boot security problem All computers with existing versions of LinuxPPC installed are accessible as root by anyone if they are able to boot the machine in single user mode. Fortunately, The solution is very simple. You can disable the automatic login as root when the machine is booted into single user mode. The method for doing this is described below. http://www.linuxppc.com/support/updates/security/ ?category=2000&subject=single-user-mode Vendor Advisory: http://www.linuxsecurity.com/advisories/linuxppc_advisory-765.html +---------------------------------+ | Mandrake Advisories | ----------------------------// +---------------------------------+ * Mandrake: 'gnorpm' update Versions of GnoRPM prior to 0.95 used files in the /tmp directory in an insecure manner. If GnoRPM is run as root, a local user can exploit this behaviour to trick GnoRPM into writing to arbitrary files anywhere on the system. Package Name: gnorpm-0.9-5mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/ MD5 Checksum: 42f258faadf07ac6d4bd8dfdbf1ecc6d Package Name: gnorpm-0.9-5mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 Checksum: 6418822070f5579a5d0ae103bb28568b Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-759.html * Mandrake: 'tmpwatch' vulnerability Previous versions of tmpwatch contained a local denial of service and root exploits. This is due to using the fork() command to recursively process subdirectories which would allow a local user to perform a denial of service attack. Package Name: tmpwatch-2.6.2-1mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/ MD5 checksum: d6e7442f4c3a9af30e9158e7ae9ecf72 Package Name: tmpwatch-2.6.2-1mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/ MD5 checksum: 04b86f78b1bf908219c5ddc94767c7a8 Package Name: tmpwatch-2.6.2-1mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 checksum: 07267b2907b9e9454a967c4323b17f17 Package Name: tmpwatch-2.6.2-1mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ MD5 checksum: 04e2717f14f0b4f8f991ea9cc0926b2e Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-763.html * Mandrake: 'openssh' vulnerability A problem exists with openssh's scp program. If a user uses scp to move files from a server that has been compromised, the operation an be used to replace arbitrary files on the user's system. The problem is made more serious by setuid versions of ssh which allow overwriting any file on the local user's system. If the ssh program is not setuid or is setuid to someone other than root, the intrustion is limited to files with write access granted to the owner of the ssh program. 7.0 Package Name: openssh-2.1.1p3-4mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 checksum: 305e0198128f0ff9c1c9292ec09b4dcc Package Name: openssh-askpass-2.1.1p3-4mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 checksum: b9926356f70c27be00d2b50c96b11bd0 Package Name: openssh-clients-2.1.1p3-4mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 checksum: c4264c9b9ab857ddd4555c05096e4697 Package Name: openssh-server-2.1.1p3-4mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 checksum: 21f1d76dc514f6e59c6023affc80dc54 Package Name: openssl-0.9.5a-3mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 checksum: a3dd007c212763d4ece19b50e013edd0 Package Name: openssl-devel-0.9.5a-3mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 checksum: b8d23e53945a0c53525701c0ed298d01 7.1 Package Name: openssh-2.1.1p3-4mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ MD5 checksum: 859074e6bea599faf97ead477a8e97fe Package Name: openssh-askpass-2.1.1p3-4mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ MD5 checksum: 5df518f2b4cb308fee7b78b127972733 Package Name: openssh-clients-2.1.1p3-4mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ MD5 checksum: a00ae71dadecbde77ccd9b4d0d0b818a Package Name: openssh-server-2.1.1p3-4mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ MD5 checksum: 8abf7df4ed56bcbb517ebe9b549d2df7 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-782.html * Mandrake: 'boa' vulnerability There is a problem with versions of the boa web server prior to 0.94.8.3 that make it possible to access files outside of the server's document root by the use of properly constructed URL requests. Linux-Mandrake started shipping the boa web server with 7.2 beta which uses the fixed 0.94.8.3 version. Linux-Mandrake users who have installed this package on their own are encouraged to upgrade to the version found in 7.2 beta or cooker. Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-786.html * Mandrake: 'apache' update The Apache web server comes with a module called mod_rewrite which is used to rewrite URLs presented by the client prior to further processing. There is a flaw in the mod_rewrite logic that allows an attacker to view arbitrary files on the server system if they contain regular expression references. All Linux-Mandrake users using Apache are encouraged to upgrade to these updated versions that fix this flaw. Linux Mandrake 6.0 Package Name:apache-1.3.6-29mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/ MD5 checksum: 77fa37ac213493d94f5817f93710cbb8 Package Name: apache-devel-1.3.6-29mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/ MD5 checksum: 8c51afd87ab8be5b08bc2d02fdc37298 Linux-Mandrake 6.1 Package Name: apache-1.3.9-8mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/ MD5 checksum: 890f342e3d33a73978b9ec60d53f3c54 Package Name: apache-devel-1.3.9-8mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/ MD5 checksum: 4308ebc3b5c496b74173d0af0cb43de9 Linux-Mandrake 7.0 Package Name: apache-1.3.9-18mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 checksum: 094ae1b8764bd6c71519fe051b735e21 Package Name: apache-devel-1.3.9-18mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 checksum: dc298d04f25fe4f5a895e898606b8551 Package Name: apache-suexec-1.3.9-18mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 checksum: 7fe54f76cf8f5b46d35ba44944783811 Linux-Mandrake 7.1 Package Name: apache-1.3.12-13mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ MD5 checksum: 990b35197aee4fe36d9c26b709279108 Package Name: apache-devel-1.3.12-13mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ MD5 checksum: 973cf2b01f1d1030b672011288188c50 Package Name: apache-suexec-1.3.12-13mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ MD5 checksum: 69e5ff252a7481b36d2f44bc17c48e63 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-790.html +---------------------------------+ | RedHat Advisories | ----------------------------// +---------------------------------+ * RedHat: 'esound' vulnerability Esound, the sound daemon used for Gnome, creates a world-writable directory, /tmp/.esd. This directory is owned by the user running esound, and is used to store a socket which is used by programs connecting to the sound server. During startup, this socket's permissions are adjusted. An attacker on the system can theoretically create a symbolic link, and cause any file or directory owned by the user running esound to be madeworld writable. alpha: ftp://updates.redhat.com/6.2/alpha/esound-0.2.20-0.alpha.rpm MD5 checksum: 648746086daa7bbc6bef00697e62bf51 sparc: ftp://updates.redhat.com/6.2/sparc/esound-0.2.20-0.sparc.rpm MD5 checksum: 2127fdd7654b80506952dce08c3f5014 386: ftp://updates.redhat.com/6.2/i386/esound-0.2.20-0.i386.rpm MD5 checksum: 2127fdd7654b80506952dce08c3f5014 ftp://updates.redhat.com/7.0/i386/esound-0.2.20-1.i386.rpm MD5 checksum: a61209acb87ed7f4fa5b1d63d161c85d Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-760.html * RedHat: 'traceroute' suid root vulnerability A root exploit due to a segfault when using multiple -g options is fixed for Red Hat Linux 6.x and Red Hat Linux 5.x.A potential denial-of-service attack is alleviated by enforcing a maximum buffer size of 64Kb. ftp://updates.redhat.com/5.2/alpha/traceroute-1.4a5-24.5x.alpha.rpm MD5 checksum: 25a92211082e65df9f89fd71ac7a6888 ftp://updates.redhat.com/5.2/sparc/traceroute-1.4a5-24.5x.sparc.rpm MD5 checksum: d60c337c3fa3d23ba2c1cde082c8fee5 ftp://updates.redhat.com/5.2/i386/traceroute-1.4a5-24.5x.i386.rpm MD5 checksum: 2fc1c66152f3fbd723b695472aadc0a6 ftp://updates.redhat.com/6.2/alpha/traceroute-1.4a5-24.6x.alpha.rpm MD5 checksum: f279d9e415a7d806daae86e8112fe8c6 ftp://updates.redhat.com/6.2/sparc/traceroute-1.4a5-24.6x.sparc.rpm MD5 checksum: 498a1e08221e1d9e0115edb7f34ecef9 ftp://updates.redhat.com/6.2/i386/traceroute-1.4a5-24.6x.i386.rpm MD5 checksum: 49bd824f9f4784ce9c45fa54285c7aa0 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-762.html * Redhat: 'usermode' update The usermode package contains a binary (/usr/bin/userhelper), which is used to control access to programs which are to be executed as root. Because programs invoked by userhelper are not actually running setuid-root, security measures built into recent versions of glibc are not active. ftp://updates.redhat.com/6.2/alpha/usermode-1.36-2.6.x.alpha.rpm MD5 checksum: afb4ad3a5715c0df6596a19db4d2b3c8 ftp://updates.redhat.com/6.2/sparc/usermode-1.36-2.6.x.sparc.rpm MD5 checksum: 8567bb088fb7cab3e298d0df24f8c626 ftp://updates.redhat.com/6.2/i386/usermode-1.36-2.6.x.i386.rpm MD5 checksum: c2bac5d41ee077d2db48ed9462802ff0 ftp://updates.redhat.com/7.0/i386/usermode-1.36-3.i386.rpm MD5 checksum: 5d40e125fa0a31f05b8dac9321a1fa88 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-770.html * Redhat: 'gnorpm' update While fixing other problems with the gnorpm package, a locally-exploitable security hole was found where a normal user could trick root running GnoRPM into writing to arbitrary files due to a bug in the gnorpm tmp filehandling. ftp://updates.redhat.com/6.2/alpha/gnorpm-0.95.1-2.62.alpha.rpm MD5 checksum: 1296b065d646657205042c97d7102961 ftp://updates.redhat.com/6.2/sparc/gnorpm-0.95.1-2.62.sparc.rpm MD5 checksum: e1048b5dcb50f73e015105deb456265e ftp://updates.redhat.com/6.2/i386/gnorpm-0.95.1-2.62.i386.rpm MD5 checksum: 593efce0c95012b16ee266944e394371 ftp://updates.redhat.com/7.0/i386/gnorpm-0.95.1-3.i386.rpm MD5 checksum: 4398b0b737d7ac9f75fff35472884cad Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-784.html +---------------------------------+ | PHP Advisories | ----------------------------// +---------------------------------+ * PHP format string vulnerability The problem was tested on a Red Hat Linux system having Apache and mod_php3 installed. Error logging was enabled in php.ini. With a test exploit program, a shellcode could be run remotely under the web server user id, which is typically not the root user. Updated Package: http://www.php.net/do_download.php?download_file=php-4.0.3.tar.gz Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-791.html +---------------------------------+ | SuSE Advisories | ----------------------------// +---------------------------------+ * SuSE: 'esound' update Esound, a daemon program for the Gnome desktop, is used for sound replay by various programs such as windowmanagers and other applications. The esound daemon creates a directory /tmp/.esd to host a unix domain socket. Upon startup, the daemon changes the modes of the socket, but a race condition allows an attacker to place a symlink into the directory to point to an arbitrary file belonging to the victim. By consequence, an attacker may be able to change the permissions of any file belonging to the victim. If the victim's userid is root, the attacker may be able to change the modes of any file in the system. i386 Intel Platform: SuSE-7.0 Updated Package: esound-0.2.19-15.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.0/snd1/ MD5 checksum: 9d8addaa5ba29554a727eb34ae5189f4 SuSE-6.4 Updated Package: esound-0.2.16-75.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/snd1/ MD5 checksum: 6f32f0867d1597a5129d0516438d9cca SuSE-6.3 Updated Package: esound-0.2.15-21.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/snd1/ MD5 checksum: 16a5804a2f27e62d73df40d206b047ca Sparc Platform: SuSE-7.0 Updated Package: esound-0.2.19-15.sparc.rpm ftp://ftp.suse.com/pub/suse/sparc/update/7.0/snd1/ MD5 checksum: 112648ef64c351952f832b180fcca23c AXP Alpha Platform: SuSE-6.4 Updated Package: esound-0.2.16-75.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/snd1/ MD5 checksum: d2efefb21a6424a81e63788d972db49d SuSE-6.3 Updated Package: esound-0.2.15-21.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/snd1/ MD5 checksum: 19942e308eda0c0d505bb64da734ad8d PPC Power PC Platform: SuSE-7.0 Updated Package: esound-0.2.19-16.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.0/snd1/ MD5 checksum: be6daabfee0e7e629b848814be81d9d0 SuSE-6.4 Updated Package: esound-0.2.16-75.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/snd1/ MD5 checksum: f0e1aa54c3fdf7c6c02b34bedc51ee0f Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-785.html * SuSE: 'cfengine' vulnerability GNU cfengine is an abstract programming language for system administrators of large heterogeneous networks, used for maintenance and administration. Pekka Savola <pekkas () netcore fi> has found several format string vulnerabilities in syslog() calls that can be abused to either make the cfengine program to segfault and die or to execute arbitrary commands as the user the cfengine process runs as (usually root). i386 Intel Platform: SuSE-7.0 Updated Package: cfengine-1.5.4-82.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.0/ap1/ MD5 checksum: dc42c40f3d38756f03d0fe120854438f SuSE-6.4 Updated Package: cfengine-1.5.4-82.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/ap1/ MD5 checksum: 751acfe93106296ce1109a2502756802 SuSE-6.3 Updated Package: cfengine-1.5.4-82.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/ MD5 checksum: c8acb6a4cb25bf5794a58cbdddeadb3c SuSE-6.2 Updated Package: cfengine-1.5.4-82.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/ MD5 checksum: 414b3b1ba8d1f6c54e8edf1bc06e3fd4 SuSE-6.1 Updated Package: cfengine-1.5.4-82.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/ MD5 checksum: c90ee6da76d111f537ae3bf0e3a8410d SuSE-6.0 please use the update packages for the SuSE-6.1 distribution. SuSE-5.3 Updated Package: cfengine-1.5.4-87.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/5.3/ap1/ MD5 checksum: a47f6a4a9affbe258d3c83b569b1dba4 Sparc Platform: SuSE-7.0 Updated Package: cfengine-1.5.4-83.sparc.rpm ftp://ftp.suse.com/pub/suse/axp/update/7.0/ap1/ MD5 checksum: 3517304c0fd9ff411631ea4c8191516f AXP Alpha Platform: SuSE-6.4 Updated Package: cfengine-1.5.4-82.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/ap1/ MD5 checksum: 409a3b91a67f383a330ea26faccb5eef SuSE-6.3 Please use the update packages for the SuSE-6.4 distribution. SuSE-6.1 Updated Package: cfengine-1.5.4-84.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.1/ap1/ MD5 checksum: b15950b227f1e77e783dba1ebf512df4 PPC Power PC Platform: SuSE-7.0 Updated Package: cfengine-1.5.4-85.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.0/ap1/ MD5 checksum: 2ee85ef27d51cac7ac1d574e8233aae5 SuSE-6.4 Updated Package: cfengine-1.5.4-82.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/ap1/ MD5 checksum: ddc0e11f730e2fbb2ef5462987eadffa Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-787.html +---------------------------------+ | Trustix Advisories | ----------------------------// +---------------------------------+ * Trustix: Several Security Updates Due to recently discovered security holes, we have released several updates for Trustix Secure Linux v1.1 and 1.0x. Users of the recent BETA version should also install these packages. Updated Package: apache-1.3.12-6tr.i586.rpm ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ MD5 checksum: 688e83f1cd3c679cf5e52ecef29b01a0 Updated Package: apache-devel-1.3.12-6tr.i586.rpm ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ MD5 checksum: a00d7ef794973961f099ef71e38259c5 Updated Package: apache-ssl-1.3.12_1.39-8tr.i586.rpm ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ MD5 checksum: 1aafa759655a998eb79bea314d8e9149 Updated Package: LPRng-3.6.24-1tr.i586.rpm ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ MD5 checksum: ebd7859ff9f63f53ae1c23088bd9684c Updated Package: traceroute-1.4a5-18tr.i586.rpm ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ MD5 checksum: 906a5b62f1e4232a826ecf2a94fc5c6f Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-758.html * Trustix: 'tmpwatch' update. All versions of Trustix Secure Linux have hitherto been shipped with a version of tmpwatch that can be tricked into excessive fork()ing filling up the process table, requiring the box to be rebooted. The version of tmpwatch can also, in certain cases, be tricked into giving local users a root shell. Updated Package: tmpwatch-2.6.2-1tr.i586.rpm ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ MD5 checksum: 3200b3812bfe6e87f326e240fed0686a Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-769.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, October 13th 2000 vuln-newsletter-admins (Oct 16)