Information Security News mailing list archives
Linux Advisory Watch - February 2nd 2001
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 2 Feb 2001 11:25:00 -0500
+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| February 2nd, 2000 Volume 2, Number 5a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave () linuxsecurity com ben () linuxsecurity com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for MySQL, bind, kdesu, glibc,
openssh, ident, periodic, sort, micq, tinyproxy, exmh2, xemacs,
inetd, and LPRng. The vendors include Conectiva, Caldera, Debian,
Immunix, FreeBSD, Mandrake, Red Hat, SuSE, Slackware, and Trustix.
Security is an Interactive Sport: Lessons learned from Ramen - This
article outlines the importance of monitoring vendor advisories and
applying appropriate software patches when necessary. It uses the
Ramen epidemic as an example showing the possible effects of poor
system administration.
http://www.linuxsecurity.com/feature_stories/feature_story-75.html
# OpenDoc Publishing #
Our sponsor this week is OpenDoc Publishing. Their 480-page
comprehensive security book, Securing and Optimizing Linux, takes a
hands-on approach to installing, optimizing, configuring, and
securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL,
ApacheSSL, OpenSSH and much more! Includes Red
Hat 6.2 and Red Hat 6.2 PowerTools edition.
http://www.linuxsecurity.com/sponsors/opendocs.html
HTML Version of Newsletter:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
* Vulnerabilities in BIND 4 and BIND 8
January 29th, 2001
BIND 8 contains a buffer overflow that allows a remote attacker to
execute arbitrary code. The overflow is in the initial rocessing of a
DNS request and therefore does not require an attacker to control an
authoritative DNS server. In addition, the vulnerability is not
dependent upon configuration options and affects both recursive and
non-recursive servers. This vulnerability has been designated as CVE
candidate CAN-2001-10.
BIND 4 contains a buffer overflow that can
allow a remote attacker to execute arbitrary code. The overflow
occurs when BIND reports an error while attempting to locate IP
addresses for name servers. Exploitation of this vulnerability is
restricted by the fact that the target name server be recursive and
that the attacker has control of an authoritative DNS server. This
vulnerability has been designated as CVE candidate CAN-2001-11.
http://www.linuxsecurity.com/advisories/other_advisory-1102.html
+---------------------------------+
| Conectiva | ----------------------------//
+---------------------------------+
* Conectiva: 'kdesu' vulnerability
January 30th, 2001
"kdesu" is an utility called by some graphic programs when they need
to execute something as another user, typically root. This utility
then prompts for the password. There is a vulnerability in kdesu
which allows for other users on the machine to capture that password
and thus potencially compromise the root account.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kdebase-2.01-4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
kdebase-devel-2.01-4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kdelibs-2.01-6cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
kdelibs-devel-2.01-6cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1119.html
* Conectiva: 'bind' vulnerabilities
January 29th, 2001
"bind" is probably the most used DNS server on the internet. COVERT
labs and Claudio Musmarra have found several vulnerabilities in the
bind packages. Two of these vulnerabilities affect the version
shipped with Conectiva Linux
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1106.html
Conectiva: 'MySQL' buffer overflow - 1/26/2001
MySQL is a very popular database. Versions older than 3.23.31
have a buffer overflow vulnerability that could be exploited
remotely depending on how the database access is configured
(via web, for example).
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1093.html
+---------------------------------+
| Caldera | ----------------------------//
+---------------------------------+
* Caldera: 'bind' vulnerabilities [UPDATED]
February 1st, 2001
Several security problems have been discovered in the most recent
versions of BINDv8 (8.2.2p7). One of them is a buffer overflow that
can potentially exploited to execute arbitrary code with the
privilege of the bind user.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1125.html
* Caldera: 'MySQL' vulnerabilities
January 30th, 2001
There is a buffer overflow in the MySQL server that allows an
attacker to gain access to the mysql account. A valid mysql count is
required for this attack. An exploit for this problem has been
published on bugtraq.
RPMS/mysql-3.22.32-3S.i386.rpm
940afe2a243e2c568aef4dddbbb56a41
RPMS/mysql-bench-3.22.32-3S.i386.rpm
6930d7617efe5aedd759ccf7271198b6
RPMS/mysql-client-3.22.32-3S.i386.rpm
d1cf0ed011437ad97cc9beef06b67398
RPMS/mysql-devel-3.22.32-3S.i386.rpm
d766bdb5d048e219d0897d4ea73f7b1b
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1122.html
* Caldera: 'glibc' vulnerability
January 29th, 2001
The ELF shared library loader that is part of glibc supports the
LD_PRELOAD environment variable that lets a user request that
additional shared libraries should be loaded when starting a program.
Normally, this feature should be disabled for setuid applications
because of its security implications.
RPMS/glibc-2.1.3-6OL.i386.rpm
9dc46298c12e4ce5878c449477c8eaaf
RPMS/glibc-devel-2.1.3-6OL.i386.rpm
314e8df8a22a8a91ebcec87458256631
RPMS/glibc-devel-static-2.1.3-6OL.i386.rpm
1abc6e241431080fd8518537c2bfe05c
RPMS/glibc-localedata-2.1.3-6OL.i386.rpm
0417ac3f91cdb70844cdcfccfa002df2
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1110.html
+---------------------------------+
| Debian | ----------------------------//
+---------------------------------+
* Debian: 'bind' vulnerabilities
January 29th, 2001
BIND 8 suffered from several buffer overflows. It is possible to
construct an inverse query that allows the stack to be read remotely
exposing environment variables. CERT has disclosed information about
these issues. A new upstream version fixes this. Due to the
complexity of BIND we have decided to make an exception to our rule
by releasin the new upstream source to our stable distribution.
http://security.debian.org/dists/stable/updates/main/binary-i386/
bind-dev_8.2.3-0.potato.1_i386.deb
MD5 checksum: e1321461aecef5fdef03a2de9881601b
http://security.debian.org/dists/stable/updates/main/binary-i386/
bind_8.2.3-0.potato.1_i386.deb
MD5 checksum: 54905c4cf2e5130e50de6f77e63e0efd
http://security.debian.org/dists/stable/updates/main/binary-i386/
dnsutils_8.2.3-0.potato.1_i386.deb
MD5 checksum: 4c88c5377b1f900c18143bb69ab034a1
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1103.html
* Debian: 'openssh' missing PAM support
January 28th, 2001
A former security upload of OpenSSH lacked support for PAM which lead
into people not being able to log in into their server. This was only
a problem on the sparc architecture.
SPARC Architechture - PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1100.html
* Debian: 'openssh' wrong libSSL
January 28th, 2001
A former security upload of OpenSSH was linked against the wrong
version of libssl (providing an API to SSL), that version was not
available on sparc. This ought to fix a former upload that lacked
support for PAM which lead into people not being able to log in into
their server. This was only a problem on the sparc architecture.
SPARC Architechture - PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1101.html
+---------------------------------+
| Immunix | ----------------------------//
+---------------------------------+
* Immunix: 'bind' vulnerabilities
January 30th, 2001
The people at COVERT Labs have discovered a number of security
problems with all previous versions of Bind
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1123.html
+---------------------------------+
| FreeBSD | ----------------------------//
+---------------------------------+
* FreeBSD: 'bind' vulnerabilities
February 1st, 2001
Malicious remote users can cause arbitrary code to be executed as the
user running the named daemon. This is often the root user, although
FreeBSD provides built-in support for the execution of named as an
unprivileged 'bind' user, which greatly limits the scope of the
vulnerability should a successful penetration take place.
UPGRADE: http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1126.html
* FreeBSD: 'micq' ports buffer overflow
January 30th, 2001
Malicious remote users may cause arbitrary code to be executed with
the privileges of the micq process. If you have not chosen to install
the micq port/package, then your system is not vulnerable to this
problem.]
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1114.html
* FreeBSD: 'tinyproxy' ports vulnerability
January 30th, 2001
Malicious remote users may cause a denial-of-service and potentially
cause arbitrary code to be executed. If you have not chosen to
install the tinyproxy port/package, then your system is not
vulnerable to this problem.
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1115.html
* FreeBSD: 'exmh2' port vulnerability
January 30th, 2001
Malicious local users may cause arbitrary files writable by the user
running exmh to be overwritten, in certain restricted situations. If
you have not chosen to install the exmh2 port/package, then your
system is not vulnerable to this problem.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1117.html
* FreeBSD: 'mysql' ports vulnerability
January 30th, 2001
Malicious remote mysql users may cause a denial-of-service and
potentially gain access as the mysqld user, allowing access to all
databases on the mysql server and the ability to leverage other local
attacks as the mysqld user. If you have not chosen to install the
mysql322-server or mysql323-server ports/packages, then your system
is not vulnerable to this problem.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1116.html
* FreeBSD: 'ident' vulnerability
January 29th, 2001
During internal auditing, the internal ident server in inetd was
found to incorrectly set group privileges according to the user. Due
to ident using root's group permissions, users may read the first 16
(excluding initial whitespace) bytes of wheel-accessible files.
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1107.html
* FreeBSD: 'sort' creates insecure temp files
January 29th, 2001
This allows an attacker to cause the sort(1) command to abort, which
may have a cascade effect on other scripts which make use of it (such
as system management and reporting scripts). For example, it may be
possible to use this failure mode to hide the reporting of malicious
system activity which would otherwise be detected by a management
script.
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1111.html
* FreeBSD: 'periodic' vulnerability
January 29th, 2001
A vulnerability was inadvertently introduced into periodic that
caused temporary files with insecure file names to be used in the
system's temporary directory. This may allow a malicious local user
to cause arbitrary files on the system to be corrupted.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1109.html
+---------------------------------+
| Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: 'kdesu' vulnerability
February 1st, 2001
A problem exists with the kdesu program for KDE versions 1 and 2.
kdesu is a frontend for the su program, allowing normal users to run
programs with root privileges by prompting for the root password.
When the "keep password" option is enabled, kdesu tries to send the
password across process boundaries to kdesud via a UNIX socket.
During this, it does not verify the identity of the listener on the
other end, which can allow attackers to obtain the root password.
7.2/RPMS/kdebase-2.0.1-1mdk.i586.rpm
a18c6c5bd7c423515ed7773ab03d2c43
7.2/RPMS/kdebase-devel-2.0.1-1mdk.i586.rpm
3a078b0c56368c465e4015a12203200c
7.2/RPMS/kdelibs-2.0.1-2mdk.i586.rpm
f5d129d8bde46e3750fa353c63edfcbc
7.2/RPMS/kdelibs-devel-2.0.1-2mdk.i586.rpm
1768c992dffa54bee6a0adfff86db892
http://www.linux-mandrake.com/en/ftp.php3
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1127.html
* Mandrake: 'xemacs' vulnerability
February 1st, 2001
Previous versions of XEmacs had a problem with the gnuserv
application Versions prior to 21.1.14 could allow arbitrary code to
be executed by overrunning the magic cookie buffer, as well as
accepting the prefix of valid magic cookies
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1128.html
* Mandrake: 'bind' vulnerabilities
January 29th, 2001
Four problems exists in all versions of ISC BIND 4.9.x prior to 4.9.8
and 8.2.x prior to 8.2.3 (9.x is not affected). Version 8.2.x
contains a buffer overflow in transaction signature (TSIG) handling
code that can be exploited by an attacker to gain unauthorized
privileged access to the system, allowing execution of arbitrary
code.
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1105.html
+---------------------------------+
| Red Hat | ----------------------------//
+---------------------------------+
* Red Hat: 'inetd' vulnerability
January 30th, 2001
The inetd server as shipped with Red Hat Linux 6.2 fails to close
sockets for internal service properly. This could make services stop
working when the system had leaked sufficient resources.
ftp://updates.redhat.com/6.2/i386/inetd-0.16-7.i386.rpm
60ad8ad297b03a9b90e69a2e5c06c185
Vendor:
http://www.linuxsecurity.com/advisories/redhat_advisory-1118.html
* Red Hat: 'bind' vulnerabilities
January 29th, 2001
Some security problems, including a remotely exploitable information
leak allowing anyone to read the stack, have been found in bind
versions prior to 8.2.3.
ftp://updates.redhat.com/5.2/i386/bind-8.2.3-0.5.x.i386.rpm
316dab391275988232636eac9032e34e
ftp://updates.redhat.com/5.2/i386/bind-devel-8.2.3-0.5.x.i386.rpm
b773953a7959f24f7aca66a98df8b9bb
ftp://updates.redhat.com/5.2/i386/bind-utils-8.2.3-0.5.x.i386.rpm
090380d4e3e1923ec033b5bfa42ce8bd
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1112.html
+---------------------------------+
| Slackware | ----------------------------//
+---------------------------------+
* Slackware: 'bind' vulnerabilities
January 30th, 2001
Multiple vulnerabilities exist in the versions of BIND found in
Slackware 7.1 and -current. Users of BIND 8.x are urged to upgrade to
8.2.3 to fix these problems.
ftp://ftp.slackware.com/pub/slackware/
slackware-current/slakware/n1/bind.tgz
Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-1121.html
+---------------------------------+
| SuSE | ----------------------------//
+---------------------------------+
* SuSE: 'kdesu' vulnerability
January 30th, 2001
kdesu is a KDE frontend for su(1). When invoked it prompts for the
root password and runs su(1). kdesu itself does not run
setuid/setgid. However when enabling the 'keep password' option it
tries to send the password across process boundaries to kdesud via a
UNIX socket. During this it does not verify the identity of the
listener on the other end. This allows attackers to obtain the root
password.
SuSE-7.0:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/kpa1/kdesu-0.98-187.i386.rpm
c7238ea5775939239b3857b550ca9f1b
SuSE-7.0:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/kpa1/kdesu.rpm
c7238ea5775939239b3857b550ca9f1b
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1113.html
* SuSE: 'bind' vulnerabilities
January 30th, 2001
bind-8.x in all versions of the SuSE distributions contain a bug in
the transaction signature handling code that can allow to remotely
over- flow a buffer and thereby execute arbitrary code as the user
running the nameserver
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1124.html
+---------------------------------+
| TurboLinux | ----------------------------//
+---------------------------------+
* TurboLinux: 'LPRng' buffer overflow
January 30th, 2001
The LPRng port, versions prior to 3.6.26, contains a potential
vulnera- bility which may allow root compromise from both local and
remote systems. The vulnerability is due to incorrect usage of the
syslog(3) function. Local and remote users can send string-formatting
operators to the printer daemon to corrupt the daemon's execution,
potentially gaining root access.
Vendor Advisory:
http://www.linuxsecurity.com/advisories/turbolinux_advisory-1120.html
+---------------------------------+
| Trustix | ----------------------------//
+---------------------------------+
* Trustix: 'bind' and 'openldap' updates
January 29th, 2001
A remote hole in bind allows for the environment of the server
process to be leaked to an attacker.
bind-8.2.3-1tr.i586.rpm
1ff0878fb7b01f51c23607c1a06b28e5
bind-devel-8.2.3-1tr.i586.rpm
048b5aae3b80be0e9a844726292471ef
bind-utils-8.2.3-1tr.i586.rpm
9794142fc249de3946ed38202b53e5f1
ftp://ftp.trustix.net/pub/Trustix/updates/
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1104.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request () linuxsecurity com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Current thread:
- Linux Advisory Watch - February 2nd 2001 vuln-newsletter-admins (Feb 03)