Information Security News mailing list archives
Linux Advisory Watch - February 2nd 2001
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 2 Feb 2001 11:25:00 -0500
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | February 2nd, 2000 Volume 2, Number 5a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for MySQL, bind, kdesu, glibc, openssh, ident, periodic, sort, micq, tinyproxy, exmh2, xemacs, inetd, and LPRng. The vendors include Conectiva, Caldera, Debian, Immunix, FreeBSD, Mandrake, Red Hat, SuSE, Slackware, and Trustix. Security is an Interactive Sport: Lessons learned from Ramen - This article outlines the importance of monitoring vendor advisories and applying appropriate software patches when necessary. It uses the Ramen epidemic as an example showing the possible effects of poor system administration. http://www.linuxsecurity.com/feature_stories/feature_story-75.html # OpenDoc Publishing # Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html HTML Version of Newsletter: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing * Vulnerabilities in BIND 4 and BIND 8 January 29th, 2001 BIND 8 contains a buffer overflow that allows a remote attacker to execute arbitrary code. The overflow is in the initial rocessing of a DNS request and therefore does not require an attacker to control an authoritative DNS server. In addition, the vulnerability is not dependent upon configuration options and affects both recursive and non-recursive servers. This vulnerability has been designated as CVE candidate CAN-2001-10. BIND 4 contains a buffer overflow that can allow a remote attacker to execute arbitrary code. The overflow occurs when BIND reports an error while attempting to locate IP addresses for name servers. Exploitation of this vulnerability is restricted by the fact that the target name server be recursive and that the attacker has control of an authoritative DNS server. This vulnerability has been designated as CVE candidate CAN-2001-11. http://www.linuxsecurity.com/advisories/other_advisory-1102.html +---------------------------------+ | Conectiva | ----------------------------// +---------------------------------+ * Conectiva: 'kdesu' vulnerability January 30th, 2001 "kdesu" is an utility called by some graphic programs when they need to execute something as another user, typically root. This utility then prompts for the password. There is a vulnerability in kdesu which allows for other users on the machine to capture that password and thus potencially compromise the root account. ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kdebase-2.01-4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ kdebase-devel-2.01-4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kdelibs-2.01-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ kdelibs-devel-2.01-6cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1119.html * Conectiva: 'bind' vulnerabilities January 29th, 2001 "bind" is probably the most used DNS server on the internet. COVERT labs and Claudio Musmarra have found several vulnerabilities in the bind packages. Two of these vulnerabilities affect the version shipped with Conectiva Linux PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1106.html Conectiva: 'MySQL' buffer overflow - 1/26/2001 MySQL is a very popular database. Versions older than 3.23.31 have a buffer overflow vulnerability that could be exploited remotely depending on how the database access is configured (via web, for example). PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1093.html +---------------------------------+ | Caldera | ----------------------------// +---------------------------------+ * Caldera: 'bind' vulnerabilities [UPDATED] February 1st, 2001 Several security problems have been discovered in the most recent versions of BINDv8 (8.2.2p7). One of them is a buffer overflow that can potentially exploited to execute arbitrary code with the privilege of the bind user. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1125.html * Caldera: 'MySQL' vulnerabilities January 30th, 2001 There is a buffer overflow in the MySQL server that allows an attacker to gain access to the mysql account. A valid mysql count is required for this attack. An exploit for this problem has been published on bugtraq. RPMS/mysql-3.22.32-3S.i386.rpm 940afe2a243e2c568aef4dddbbb56a41 RPMS/mysql-bench-3.22.32-3S.i386.rpm 6930d7617efe5aedd759ccf7271198b6 RPMS/mysql-client-3.22.32-3S.i386.rpm d1cf0ed011437ad97cc9beef06b67398 RPMS/mysql-devel-3.22.32-3S.i386.rpm d766bdb5d048e219d0897d4ea73f7b1b ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1122.html * Caldera: 'glibc' vulnerability January 29th, 2001 The ELF shared library loader that is part of glibc supports the LD_PRELOAD environment variable that lets a user request that additional shared libraries should be loaded when starting a program. Normally, this feature should be disabled for setuid applications because of its security implications. RPMS/glibc-2.1.3-6OL.i386.rpm 9dc46298c12e4ce5878c449477c8eaaf RPMS/glibc-devel-2.1.3-6OL.i386.rpm 314e8df8a22a8a91ebcec87458256631 RPMS/glibc-devel-static-2.1.3-6OL.i386.rpm 1abc6e241431080fd8518537c2bfe05c RPMS/glibc-localedata-2.1.3-6OL.i386.rpm 0417ac3f91cdb70844cdcfccfa002df2 ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1110.html +---------------------------------+ | Debian | ----------------------------// +---------------------------------+ * Debian: 'bind' vulnerabilities January 29th, 2001 BIND 8 suffered from several buffer overflows. It is possible to construct an inverse query that allows the stack to be read remotely exposing environment variables. CERT has disclosed information about these issues. A new upstream version fixes this. Due to the complexity of BIND we have decided to make an exception to our rule by releasin the new upstream source to our stable distribution. http://security.debian.org/dists/stable/updates/main/binary-i386/ bind-dev_8.2.3-0.potato.1_i386.deb MD5 checksum: e1321461aecef5fdef03a2de9881601b http://security.debian.org/dists/stable/updates/main/binary-i386/ bind_8.2.3-0.potato.1_i386.deb MD5 checksum: 54905c4cf2e5130e50de6f77e63e0efd http://security.debian.org/dists/stable/updates/main/binary-i386/ dnsutils_8.2.3-0.potato.1_i386.deb MD5 checksum: 4c88c5377b1f900c18143bb69ab034a1 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1103.html * Debian: 'openssh' missing PAM support January 28th, 2001 A former security upload of OpenSSH lacked support for PAM which lead into people not being able to log in into their server. This was only a problem on the sparc architecture. SPARC Architechture - PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1100.html * Debian: 'openssh' wrong libSSL January 28th, 2001 A former security upload of OpenSSH was linked against the wrong version of libssl (providing an API to SSL), that version was not available on sparc. This ought to fix a former upload that lacked support for PAM which lead into people not being able to log in into their server. This was only a problem on the sparc architecture. SPARC Architechture - PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1101.html +---------------------------------+ | Immunix | ----------------------------// +---------------------------------+ * Immunix: 'bind' vulnerabilities January 30th, 2001 The people at COVERT Labs have discovered a number of security problems with all previous versions of Bind PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1123.html +---------------------------------+ | FreeBSD | ----------------------------// +---------------------------------+ * FreeBSD: 'bind' vulnerabilities February 1st, 2001 Malicious remote users can cause arbitrary code to be executed as the user running the named daemon. This is often the root user, although FreeBSD provides built-in support for the execution of named as an unprivileged 'bind' user, which greatly limits the scope of the vulnerability should a successful penetration take place. UPGRADE: http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1126.html * FreeBSD: 'micq' ports buffer overflow January 30th, 2001 Malicious remote users may cause arbitrary code to be executed with the privileges of the micq process. If you have not chosen to install the micq port/package, then your system is not vulnerable to this problem.] PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1114.html * FreeBSD: 'tinyproxy' ports vulnerability January 30th, 2001 Malicious remote users may cause a denial-of-service and potentially cause arbitrary code to be executed. If you have not chosen to install the tinyproxy port/package, then your system is not vulnerable to this problem. PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1115.html * FreeBSD: 'exmh2' port vulnerability January 30th, 2001 Malicious local users may cause arbitrary files writable by the user running exmh to be overwritten, in certain restricted situations. If you have not chosen to install the exmh2 port/package, then your system is not vulnerable to this problem. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1117.html * FreeBSD: 'mysql' ports vulnerability January 30th, 2001 Malicious remote mysql users may cause a denial-of-service and potentially gain access as the mysqld user, allowing access to all databases on the mysql server and the ability to leverage other local attacks as the mysqld user. If you have not chosen to install the mysql322-server or mysql323-server ports/packages, then your system is not vulnerable to this problem. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1116.html * FreeBSD: 'ident' vulnerability January 29th, 2001 During internal auditing, the internal ident server in inetd was found to incorrectly set group privileges according to the user. Due to ident using root's group permissions, users may read the first 16 (excluding initial whitespace) bytes of wheel-accessible files. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1107.html * FreeBSD: 'sort' creates insecure temp files January 29th, 2001 This allows an attacker to cause the sort(1) command to abort, which may have a cascade effect on other scripts which make use of it (such as system management and reporting scripts). For example, it may be possible to use this failure mode to hide the reporting of malicious system activity which would otherwise be detected by a management script. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1111.html * FreeBSD: 'periodic' vulnerability January 29th, 2001 A vulnerability was inadvertently introduced into periodic that caused temporary files with insecure file names to be used in the system's temporary directory. This may allow a malicious local user to cause arbitrary files on the system to be corrupted. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1109.html +---------------------------------+ | Mandrake | ----------------------------// +---------------------------------+ * Mandrake: 'kdesu' vulnerability February 1st, 2001 A problem exists with the kdesu program for KDE versions 1 and 2. kdesu is a frontend for the su program, allowing normal users to run programs with root privileges by prompting for the root password. When the "keep password" option is enabled, kdesu tries to send the password across process boundaries to kdesud via a UNIX socket. During this, it does not verify the identity of the listener on the other end, which can allow attackers to obtain the root password. 7.2/RPMS/kdebase-2.0.1-1mdk.i586.rpm a18c6c5bd7c423515ed7773ab03d2c43 7.2/RPMS/kdebase-devel-2.0.1-1mdk.i586.rpm 3a078b0c56368c465e4015a12203200c 7.2/RPMS/kdelibs-2.0.1-2mdk.i586.rpm f5d129d8bde46e3750fa353c63edfcbc 7.2/RPMS/kdelibs-devel-2.0.1-2mdk.i586.rpm 1768c992dffa54bee6a0adfff86db892 http://www.linux-mandrake.com/en/ftp.php3 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1127.html * Mandrake: 'xemacs' vulnerability February 1st, 2001 Previous versions of XEmacs had a problem with the gnuserv application Versions prior to 21.1.14 could allow arbitrary code to be executed by overrunning the magic cookie buffer, as well as accepting the prefix of valid magic cookies PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1128.html * Mandrake: 'bind' vulnerabilities January 29th, 2001 Four problems exists in all versions of ISC BIND 4.9.x prior to 4.9.8 and 8.2.x prior to 8.2.3 (9.x is not affected). Version 8.2.x contains a buffer overflow in transaction signature (TSIG) handling code that can be exploited by an attacker to gain unauthorized privileged access to the system, allowing execution of arbitrary code. PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1105.html +---------------------------------+ | Red Hat | ----------------------------// +---------------------------------+ * Red Hat: 'inetd' vulnerability January 30th, 2001 The inetd server as shipped with Red Hat Linux 6.2 fails to close sockets for internal service properly. This could make services stop working when the system had leaked sufficient resources. ftp://updates.redhat.com/6.2/i386/inetd-0.16-7.i386.rpm 60ad8ad297b03a9b90e69a2e5c06c185 Vendor: http://www.linuxsecurity.com/advisories/redhat_advisory-1118.html * Red Hat: 'bind' vulnerabilities January 29th, 2001 Some security problems, including a remotely exploitable information leak allowing anyone to read the stack, have been found in bind versions prior to 8.2.3. ftp://updates.redhat.com/5.2/i386/bind-8.2.3-0.5.x.i386.rpm 316dab391275988232636eac9032e34e ftp://updates.redhat.com/5.2/i386/bind-devel-8.2.3-0.5.x.i386.rpm b773953a7959f24f7aca66a98df8b9bb ftp://updates.redhat.com/5.2/i386/bind-utils-8.2.3-0.5.x.i386.rpm 090380d4e3e1923ec033b5bfa42ce8bd Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1112.html +---------------------------------+ | Slackware | ----------------------------// +---------------------------------+ * Slackware: 'bind' vulnerabilities January 30th, 2001 Multiple vulnerabilities exist in the versions of BIND found in Slackware 7.1 and -current. Users of BIND 8.x are urged to upgrade to 8.2.3 to fix these problems. ftp://ftp.slackware.com/pub/slackware/ slackware-current/slakware/n1/bind.tgz Vendor Advisory: http://www.linuxsecurity.com/advisories/slackware_advisory-1121.html +---------------------------------+ | SuSE | ----------------------------// +---------------------------------+ * SuSE: 'kdesu' vulnerability January 30th, 2001 kdesu is a KDE frontend for su(1). When invoked it prompts for the root password and runs su(1). kdesu itself does not run setuid/setgid. However when enabling the 'keep password' option it tries to send the password across process boundaries to kdesud via a UNIX socket. During this it does not verify the identity of the listener on the other end. This allows attackers to obtain the root password. SuSE-7.0: ftp://ftp.suse.com/pub/suse/i386/update/7.0/kpa1/kdesu-0.98-187.i386.rpm c7238ea5775939239b3857b550ca9f1b SuSE-7.0: ftp://ftp.suse.com/pub/suse/i386/update/7.0/kpa1/kdesu.rpm c7238ea5775939239b3857b550ca9f1b Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1113.html * SuSE: 'bind' vulnerabilities January 30th, 2001 bind-8.x in all versions of the SuSE distributions contain a bug in the transaction signature handling code that can allow to remotely over- flow a buffer and thereby execute arbitrary code as the user running the nameserver PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1124.html +---------------------------------+ | TurboLinux | ----------------------------// +---------------------------------+ * TurboLinux: 'LPRng' buffer overflow January 30th, 2001 The LPRng port, versions prior to 3.6.26, contains a potential vulnera- bility which may allow root compromise from both local and remote systems. The vulnerability is due to incorrect usage of the syslog(3) function. Local and remote users can send string-formatting operators to the printer daemon to corrupt the daemon's execution, potentially gaining root access. Vendor Advisory: http://www.linuxsecurity.com/advisories/turbolinux_advisory-1120.html +---------------------------------+ | Trustix | ----------------------------// +---------------------------------+ * Trustix: 'bind' and 'openldap' updates January 29th, 2001 A remote hole in bind allows for the environment of the server process to be leaked to an attacker. bind-8.2.3-1tr.i586.rpm 1ff0878fb7b01f51c23607c1a06b28e5 bind-devel-8.2.3-1tr.i586.rpm 048b5aae3b80be0e9a844726292471ef bind-utils-8.2.3-1tr.i586.rpm 9794142fc249de3946ed38202b53e5f1 ftp://ftp.trustix.net/pub/Trustix/updates/ Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1104.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch - February 2nd 2001 vuln-newsletter-admins (Feb 03)