Information Security News mailing list archives
Linux Advisory Watch, December 22nd 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 22 Dec 2000 12:00:40 -0500
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | December 22nd, 2000 Volume 1, Number 34a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com Unfortunately, a large number of advisories were released this week. Many of you are taking time off for the holiday. We advise that you spend a little extra time ensuring that your systems are ready for a long stable weekend. This week,advisories were released for ed, stunnel, bitchx, zope, nano, slocate, procps, oops, halflifeserver, ethereal, netscape, pam, jpilot, rp-pppoe, k erberised telnetd, ftpd, gnupg, mysql, and tcsh. The vendors include Conectiva, Debian, FreeBSD, Mandrake, NetBSD, OpenBSD, Red Hat, and Trustix. Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. ### OpenDoc Publishing ### Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html HTML Version: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Conectiva Advisories | ----------------------------// +---------------------------------+ * Conectiva: 'Zope' updates December 20th, 2000 Two hotfixes have been released that address security problems with Zope-2.1.x: 2000-21-15a: local roles computation. In some situations users with pivileges in one folder could gain the same privileges on another folder. 2000-12-18: image updating method. Users with DTML editing privileges could edit the raw data of a File or Image object via DTML, even though they did not have editing priveleges on the objects themselves. Additionally, the so called POST bug was also fixed, where POST requests would interfere with each other. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1006.html * Conectiva: 'BitchX' vulnerability December 20th, 2000 BitchX is a text-mode irc client. The versions distributed with Conectiva Linux contain a vulnerability in the processing of malformed DNS responses that could be used to crash the client or even execute remote commands. ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ wserv-1.13-4cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1005.html * Conectiva: 'stunnel' vulnerability December 20th, 2000 "stunnel" is a package which offers wrapped SSL connections for generic TCP services, such as pop3, ldap and others. Versions prior do 3.9 have a format string vulnerability in a syslog() call which could be exploited remotely. The package distributed with Conectiva Linux 5.1 and 6.0 has the daemon running as the "stunnel" user, and not root, which diminishes the effect of this vulnerability somewhat. ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ stunnel-3.10-1cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1000.html * Conectiva: 'ed' vulnerability December 15th, 2000 The "ed" editor creates temporary files in an insecure way, making it vulnerable to symlink attacks. ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ed-0.2-17cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-980.html +---------------------------------+ | Debian Advisories | ----------------------------// +---------------------------------+ * Debian: 'slocate' vulnerability December 16th, 2000 Michel Kaempf reported a security problem in slocate (a secure version of locate, a tool to quickly locate files on a filesystem) on bugtraq which was originally discovered by zorgon. He discovered there was a bug in the database reading code which made it overwrite a internal structure with some input. He then showed this could be exploited to trick slocate into executing arbitrary code by pointing it to a carefully crafted database. Please see vendor advisory: Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ slocate_2.4-2potato1_i386.deb MD5 checksum: ff79ebacf5cfa910608f3cdaff043255 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-986.html * Debian: 'nano' vulnerability December 16th, 2000 The problem that was previously reported for joe also occurs with other editors. When nano (a free pico clone) unexpectedly dies it tries a warning message to a new file with a predictable name (the name of the file being edited with ".save" appended). Unfortunately that file was not created safely which made nano vulnerable to a symlink attack. Please see vendor advisory: Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ nano-tiny_0.9.23-1_i386.deb MD5 checksum: fd018ffdb6bf1932b96473969bcf9ef9 http://security.debian.org/dists/stable/updates/main/binary-i386/ nano_0.9.23-1_i386.deb MD5 checksum: ce7487c7aa0ce8ed1b791f51b5ece31c Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-985.html * Debian: Zope privilege escalation vulnerability December 19th, 2000 Last week a Zope (security advisory was released which indicated Erik Enge found a problem in the way Zope calculates roles. In some situations Zope checked the wrong folder hierarchy which could cause it to grant local roles when it should not. In other words: users with privileges in one folder could gain privileges in another folder. Please see vendor advisory: Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ zope_2.1.6-5.3_i386.deb MD5 checksum: 87b83c513e9a4f7360fe9427f5ec45c9 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-992.html * Debian: 'zope' vulnerability December 20th, 2000 A busy week for the Zope team: on Monday another security alert was released revealing a potential problem found by Peter Kelly. This problem involved incorrect protection of data updating for Image and File objects: any user with DTML editing privileges could update the File or Image object data directly. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ zope_2.1.6-5.4_i386.deb MD5 checksum: 0107b0c7104d3cb97db6f9afc18e2005 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-999.html +---------------------------------+ | FreeBSD Advisories | ----------------------------// +---------------------------------+ * FreeBSD: 'bitchx' ports vulnerability December 20th, 2000 The bitchx port, versions prior to 1.0c17_1, contains a remote vulnerability. Through a stack overflow in the DNS parsing code, a malicious remote user in control of their reverse DNS records may crash a bitchx session, or cause arbitrary code to be executed by the user running bitchx. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1001.html * FreeBSD: 'oops' port vulnerability December 20th, 2000 The oops port, versions prior to 1.5.2, contains remote vulnerabilities through buffer and stack overflows in the HTML parsing code. These vulnerabilities may allow remote users to execute arbitrary code as the user running oops. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1002.html * FreeBSD: "halflifeserver' ports vulnerability December 20th, 2000 The halflifeserver port, versions prior to 3.1.0.4, contains local and remote vulnerabilities through buffer overflows and format string vulnerabilities. These vulnerabilities may allow remote users to execute arbitrary code as the user running halflifeserver. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1003.html * FreeBSD: 'ethereal' ports vulnerability December 20th, 2000 The ethereal port, versions prior to 0.8.14, contains buffer overflows which allow a remote attacker to crash ethereal or execute arbitrary code on the local system as the user running ethereal, typically the root user. These vulnerabilities are identical to those described in advisory 00:61 relating to tcpdump. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1004.html * FreeBSD: 'procps' vulnerability December 18th, 2000 Unprivileged local users can gain superuser privileges due toinsufficient access control checks on the /proc//mem and /proc//ctl files, which gives access to a process address space and perform various control operations on the process respectively. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:77/procfs.4.2.patch Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-988.html +---------------------------------+ | Mandrake Advisories | ----------------------------// +---------------------------------+ * Mandrake: 'jpilot' vulnerability December 16th, 2000 The jpilot program automatically creates a directory called .jpilot/ in the user's home directory with 777 (world read/write/execute) permissions. This directory is used to store all backups, configuration and synchronized Palm Pilot information. Linux-Mandrake 7.2: 7.2/RPMS/jpilot-0.98.1-7.1mdk.i586.rpm MD5 Checksum: b18bdac08b3fa7055ff1d25d5bb3ddfb 7.2/RPMS/jpilot-plugin-devel-0.98.1-7.1mdk.i586.rpm MD5 Checksum: e52bf9543f756969e8fab8520e8156e8 7.2/SRPMS/jpilot-0.98.1-7.1mdk.src.rpm MD5 Checksum: 072404194e6a31fc8991fb8a98cf16d8 http://www.linux-mandrake.com/en/ftp.php3 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-982.html * Mandrake: 'netscape' buffer overflow December 15th, 2000 A buffer overflow exists in the HTML parser code of the Netscape web browser in all versions prior to and including 4.75. This buffer overflow can be exploited by a remote attacker or web site. 7.2/RPMS/netscape-common-4.76-3.3mdk.i586.rpm MD5 Checksum: e5423e05cf603032b0f2f15722f9f435 7.2/RPMS/netscape-communicator-4.76-3.3mdk.i586.rpm MD5 Checksum: a51f2cfaf43e67e67838983b2c15e644 http://www.linux-mandrake.com/en/ftp.php3 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-981.html * Mandrake: 'Zope' vulnerability December 16th, 2000 There is an issue involving security registration of "legacy" names for certain object constructors such as the constructors for DTML Method Objects. Security was not being applied correctly for the legacy names, making it possible to call those constructors without the permissions that should have been required. This vulnerability could allow anonymous users with enough knowledge of Zope to instantiate new DTML Method instances through the web. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-987.html * Mandrake: 'pam' vulnerabiliy [UPDATED] December 16th, 2000 The pam_localuser module, which is a part of the pam package, contains a buffer overflow vulnerability. This module is not used in any default configuration and for a user to be exploited, they would have to manually insert it into a configuration file in the /etc/pam.d directory. Linux-Mandrake 7.2: 7.2/RPMS/pam-0.72-13.1mdk.i586.rpm MD5 Checksum: 8a78141a4e4104493fa3e54a3d114454 7.2/RPMS/pam-devel-0.72-13.1mdk.i586.rpm MD5 Checksum: 6ad4ec3a6264a7b6616b87e75c3a29d3 7.2/RPMS/pam-doc-0.72-13.1mdk.i586.rpm MD5 Checksum: b6cee6af9f62a5c335158794a9286113 7.2/SRPMS/pam-0.72-13.1mdk.src.rpm MD5 Checksum: 3729083b850b06722a3eab2cc31d818c http://www.linux-mandrake.com/en/ftp.php3 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-984.html * Mandrake: 'pam' vulnerability December 16th, 2000 The pam_localuser module, which is a part of the pam package, contains a buffer overflow vulnerability. This module is not used in any default configuration and for a user to be exploited, they would have to manually insert it into a configuration file in the /etc/pam.d directory. Linux-Mandrake 7.2: 7.2/RPMS/pam-0.72-12.1mdk.i586.rpm MD5 Checksum: f2dac7c4b7049e119b0172a229fb565f 7.2/RPMS/pam-devel-0.72-12.1mdk.i586.rpm MD5 Checksum: 633f0e2f17f808ee13cfefc7e1d76743 7.2/RPMS/pam-doc-0.72-12.1mdk.i586.rpm MD5 Checksum: 817a109423f3b9ef84b3e4419bf29b27 7.2/SRPMS/pam-0.72-12.1mdk.src.rpm MD5 Checksum: e5b5708c721a69458e9df9361ea9fd46 http://www.linux-mandrake.com/en/ftp.php3 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-983.html * Mandrake: slocate vulnerability December 19th, 2000 Michael Kaempf reported a security problem in slocate (a secure version of locate, a tool to quickly locate files on a filesystem) on bugtraq which was originally discovered by zorgon. He discovered that there was a bug in the database reading code which made it overwrite an internal structure with some input. He then showed this could be exploited to trick slocate into executing arbitrary code by pointing it to a carefully crafted database. Linux-Mandrake 7.2: 7.2/RPMS/slocate-2.4-1.1mdk.i586.rpm MD5 Checksum: 9aef7c832bab7ce7c54779df4093ea77 7.2/SRPMS/slocate-2.4-1.1mdk.src.rpm MD5 Checksum: a0ac029974980068cbe6ac3d6f4e71f9 http://www.linux-mandrake.com/en/ftp.php3 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-990.html * Mandrake: rp-pppoe vulnerability December 19th, 2000 rp-pppoe is a userspace PPPoE client mainly used with ADSL connections which require PPP. Versions prior to 2.5 have a security problem that, when exploited, causes the connection to be dropped. If rp-pppoe receives a crafted TCP segment with an option where the option-length field is zero (illegal), the program would enter an infinite loop and the connection would time-out and be dropped. This is only possible if the user uses the "Clamp MSS" option. Linux-Mandrake 7.2: 7.2/RPMS/rp-pppoe-2.5-2.2mdk.i586.rpm MD5 Checksum: d64a2bff24c05941624865facbc3ac8e 7.2/SRPMS/rp-pppoe-2.5-2.2mdk.src.rpm MD5 Checksum: 0fdd0cc473288e52e64087025b93f341 http://www.linux-mandrake.com/en/ftp.php3 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-991.html +---------------------------------+ | NetBSD Advisories | ----------------------------// +---------------------------------+ * NetBSD: 'ftpd' buffer overflow December 20th, 2000 A one-byte buffer overrun was found in the ftp server daemon /usr/libexec/ftpd). It is rumored to be remotely exploitable. ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/ 20001220-ftpd-1.5 Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-1008.html * NetBSD: 'kerberised telnetd' and 'libkrb' vulnerabilities December 20th, 2000 The combination of a too liberal implementation in telnetd and bugs in libkrb combines to make it possible for authorized users of a system to obtain root access on a system. ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20001220-krb Vendor Advisory: http://www.linuxsecurity.com/advisories/netbsd_advisory-1007.html +---------------------------------+ | OpenBSD Advisories | ----------------------------// +---------------------------------+ * OpenBSD: 'ftpd' buffer overflow December 19th, 2000 A relatively obscure one-byte buffer overflow bug present in ftpd(8) turns out to be a serious problem, yielding remote users root access under certain conditions. For a system to be vulnerable, ftpd must have been explicitly enabled by the administrator (OpenBSD ships with it OFF by default) and the attacker must have write access to at least one directory. Therefore, anonymous read-only FTP servers are safe (we recommend applying the patch regardless, of course). Non-anonymous FTP administrators should seriously consider using a more secure transport like SSH. PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/openbsd_advisory-995.html +---------------------------------+ | Red Hat Advisories | ----------------------------// +---------------------------------+ * RedHat: Zope-Hotfix vulnerability December 18th, 2000 A new Zope-Hotfix package is availble which fixes issues with computation of local roles. noarch: Zope-Hotfix-localroles-2000_12_15a-1.noarch.rpm ftp://updates.redhat.com/powertools/7.0/noarch/ MD5 Checksum: a8b58411ed4e4c8238e9f05157f97516 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-989.html * Red Hat: 'stunnel' vulnerability December 19th, 2000 Stunnel version 3.8 (and earlier) contained a format-string vulnerability. Version 3.9 closes this vulnerability. Red Hat Linux 7.0: alpha: ftp://updates.redhat.com/7.0/alpha/stunnel-3.9-1.alpha.rpm 6ea8e52b59f22d1918d09f5ddbb4b5d5 i386: ftp://updates.redhat.com/7.0/i386/stunnel-3.9-1.i386.rpm ad9ac81fc70618cf66826d7f16435c6e Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-993.html * Red Hat: 'slocate' heap overflow December 19th, 2000 New slocate packages are availble for Red Hat Linux 6.x and Red Hat Linux 7. These fix a problem with the database parsing code in slocate. (slocate was not shipped with Red Hat Linux prior to version 6.0, so earlier versions are not affected.) Red Hat Linux 7.0: alpha: ftp://updates.redhat.com//7.0/alpha/slocate-2.4-1.alpha.rpm 5ee5ec5f65e200e9d03f4d2dda43ce07 i386: ftp://updates.redhat.com//7.0/i386/slocate-2.4-1.i386.rpm ba3b1c1743ec957cb8abb05818e05854 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-996.html * Red Hat: 'rp-pppoe' DoS December 20th, 2000 Bad TCP packets (e.g. a SYN packet with kind=3, len=0) over a PPP-over-Ethernet link could lock up rp-pppoe. Red Hat Linux 7.0 alpha: ftp://updates.redhat.com//7.0/alpha/gnupg-1.0.4-9.alpha.rpm 1f476ae8f5453655a4a61174de187d15 i386: ftp://updates.redhat.com//7.0/i386/gnupg-1.0.4-9.i386.rpm 88ac7d34da177b6c469e0f2a0f6117e6 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-997.html * Red Hat: two 'gnupg' vulnerabilities December 20th, 2000 When importing keys from public key servers, GnuPG will import private keys(also known as secret keys) in addition to public keys. If this happens, the user's web of trust becomes corrupted. Additionally, when used to check detached signatures, if the data file being checked contained clearsigned data, GnuPG would not warn the user if the detached signature was incorrect. Red Hat Linux 7.0 alpha: ftp://updates.redhat.com//7.0/alpha/gnupg-1.0.4-9.alpha.rpm 1f476ae8f5453655a4a61174de187d15 i386: ftp://updates.redhat.com//7.0/i386/gnupg-1.0.4-9.i386.rpm 88ac7d34da177b6c469e0f2a0f6117e6 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-997.html +---------------------------------+ | Trustix Advisories | ----------------------------// +---------------------------------+ * Trustix: 'edi', tcsh', and 'ftpd-BSD' vulnerabilities December 19th, 2000 A problem exsisted in replydirname() causing a buffer overflow and possible exploit on certain OS and architectures. Linux/x86 is supposedly not vulnerable to this particular bug because of 4 byte alignment of memory, but we thought everybody would feel better with a patched version. For version 1.2: bd4276648134d82d4bccc87441ee6b77 ed-0.2-17tr.i586.rpm 0a254e36df580061da0b45fbca6d5e92 ftpd-BSD-0.3.2-4tr.i586.rpm 679cb64c880fc4c7cdcbd5435cc41d01 ed-0.2-17tr.src.rpm 17435c96d6d21d47f7ebd3d70b55e27d ftpd-BSD-0.3.2-4tr.src.rpm http://www.trustix.net/pub/Trustix/updates/ Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-994.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, December 22nd 2000 vuln-newsletter-admins (Dec 25)