Information Security News mailing list archives
Linux Advisory Watch, September 22nd 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 29 Sep 2000 11:25:40 -0400
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | September 22nd, 2000 Volume 1, Number 22a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for esound, lprng, sysklogd, xpdf, imp/horde, mod_rewrite, and catopen(). The vendors include Apache, Caldera, Mandrake, FreeBSD, and Conectiva. It is critical that you update all vulnerable packages. Syslogd continues to be a problem on most systems. Last week, eight vendors released fixes to this problem. Please refer to last weeks newsletter for additional information on syslogd. http://www.linuxsecurity.com/articles/forums_article-1620.html Perhaps one of the more serious advisories released this week is the LPRng format string vulnerability outlined by Caldera. In the LPRng printer daemon there is a format bug that could potentially be exploited to gain root access. This is particularly severe because it can be exercised remotely. -- OpenDoc Publishing ------------------------------------------// Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. https://secure.linuxports.com/cart/security/ +---------------------------------+ | Installing a new package: | ----------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing it. +---------------------------------+ | Apache Advisory | ----------------------------// +---------------------------------+ * Apache: mod_rewrite vulnerability September 27th, 2000 The Apache development list this week contains a fix for a security issue that affects previous versions of Apache, including Apache 1.3.12. Apache is only vulnerable if you use mod_rewrite and a specific case of the directive RewriteRule. If the result of a RewriteRule is a filename that contains regular expression references then an attacker may be able to access any file on the web server. Updated Package: (see full advisory) http://www.linuxsecurity.com/advisories/other_advisory-741.html +---------------------------------+ | Caldera Advisories | ----------------------------// +---------------------------------+ * Caldera: 'LPRng' format string vulnerabilty September 25th, 2000 There is a format bug in the LPRng printer daemon that could possibly be exploited to obtain root privilege. This problem is particulary severe because it can be exercised remotely. Updated Package: LPRng-3.5.3-3 ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ http://www.linuxsecurity.com/advisories/caldera_advisory-740.html +---------------------------------+ | Conectiva Advisory | ----------------------------// +---------------------------------+ * Conectiva: imp vulnerability September 23rd, 2000 There are several vulnerabilities in the horde and imp packages shipped with Conectiva Linux that allow an user to execute remote commands on the server as the user "nobody". Updated Package: imp (see full advisory) ftp://atualizacoes.conectiva.com.br/ http://www.linuxsecurity.com/advisories/other_advisory-737.html +---------------------------------+ | FreeBSD Advisory | ----------------------------// +---------------------------------+ * FreeBSD: 'catopen()' vulnerability September 27th, 2000 Certain setuid/setgid third-party software (including FreeBSD ports/packages) may be vulnerable to a local exploit yielding privileged access. No such software is however currently known. Updated Package: (see full advisory) http://www.linuxsecurity.com/advisories/freebsd_advisory-743.html +---------------------------------+ | Mandrake Advisories | ----------------------------// +---------------------------------+ * Mandrake: 'esound' update September 27th, 2000 A problem exists with the esound daemon, which is used in GNOME and responsible for multiplexing access to audio devices. Versions of esound prior to and including 0.2.19 create a world-writable directory in /tmp called .esd which is owned by the user running esound. This directory is used to store a unix domain socket. The socket is also created world-writable, so a race condition exists in the creation of this socket which allows a local attacker to cause an arbitrary file or directory owned by the user running esound to become world-writable. This update contains a patch from FreeBSD which creates ~/.esd as the temporary directory to use and makes the unix domain socket read and write only to the user. Updated Package: esound-0.2.17-3mdk ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates http://www.linuxsecurity.com/advisories/mandrake_advisory-742.html * Mandrake: 'sysklogd' update September 25th, 2000 A problem exists with the kernel logging daemon (klogd) in the sysklogd package. A "format bug" makes klogd vulnerable to local root compromise, as well as the possibility for remote vulnerabilities under certain circumstances, which are unprobable. There is also a more probable semi-remote exploit via knfsd. This update provides a patched version of klogd that fixes these vulnerabilities. Updated Package: sysklogd-1.3.31-18mdk ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates http://www.linuxsecurity.com/advisories/mandrake_advisory-739.html * Mandrake: 'xpdf' update September 25th, 2000 There is a potential race condation when using tmpnam() and fopen() in xpdf versions prior to 0.91. This exploit can be only used as root to overwrite arbitrary files if a symlink is created between the calls to tmpname() and fopen(). There is also a problem with malicious URL-type links in PDF documents that contain quote characters which could also potentially be used to execute arbitrary commands. This is due to xpdf calling system() with a netscape (or similar) command plus the URL. The 0.91 release of xpdf fixes both of these potential problems. Although there are no known exploits, users are encouraged to upgrade their system with these updates. Updated Package: xpdf-0.91-4mdk ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates http://www.linuxsecurity.com/advisories/mandrake_advisory-738.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, September 22nd 2000 vuln-newsletter-admins (Sep 30)