Information Security News mailing list archives
Linux Advisory Watch, December 22nd 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 22 Dec 2000 12:00:40 -0500
+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| December 22nd, 2000 Volume 1, Number 34a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave () linuxsecurity com ben () linuxsecurity com
Unfortunately, a large number of advisories were released this week.
Many of you are taking time off for the holiday. We advise that
you spend a little extra time ensuring that your systems are
ready for a long stable weekend. This week,advisories were
released for ed, stunnel, bitchx, zope, nano, slocate, procps,
oops, halflifeserver, ethereal, netscape, pam, jpilot, rp-pppoe, k
erberised telnetd, ftpd, gnupg, mysql, and tcsh. The vendors
include Conectiva, Debian, FreeBSD, Mandrake, NetBSD, OpenBSD,
Red Hat, and Trustix.
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
### OpenDoc Publishing ###
Our sponsor this week is OpenDoc Publishing. Their 480-page
comprehensive security book, Securing and Optimizing Linux, takes a
hands-on approach to installing, optimizing, configuring, and
securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL,
ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat
6.2 PowerTools edition.
http://www.linuxsecurity.com/sponsors/opendocs.html
HTML Version:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| Conectiva Advisories | ----------------------------//
+---------------------------------+
* Conectiva: 'Zope' updates
December 20th, 2000
Two hotfixes have been released that address security problems with
Zope-2.1.x: 2000-21-15a: local roles computation. In some situations
users with pivileges in one folder could gain the same privileges on
another folder. 2000-12-18: image updating method. Users with DTML
editing privileges could edit the raw data of a File or Image object
via DTML, even though they did not have editing priveleges on the
objects themselves. Additionally, the so called POST bug was also
fixed, where POST requests would interfere with each other.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1006.html
* Conectiva: 'BitchX' vulnerability
December 20th, 2000
BitchX is a text-mode irc client. The versions distributed with
Conectiva Linux contain a vulnerability in the processing of
malformed DNS responses that could be used to crash the client or
even execute remote commands.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
wserv-1.13-4cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1005.html
* Conectiva: 'stunnel' vulnerability
December 20th, 2000
"stunnel" is a package which offers wrapped SSL connections for
generic TCP services, such as pop3, ldap and others. Versions prior
do 3.9 have a format string vulnerability in a syslog() call which
could be exploited remotely. The package distributed with Conectiva
Linux 5.1 and 6.0 has the daemon running as the "stunnel" user, and
not root, which diminishes the effect of this vulnerability somewhat.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
stunnel-3.10-1cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1000.html
* Conectiva: 'ed' vulnerability
December 15th, 2000
The "ed" editor creates temporary files in an insecure way, making it
vulnerable to symlink attacks.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ed-0.2-17cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-980.html
+---------------------------------+
| Debian Advisories | ----------------------------//
+---------------------------------+
* Debian: 'slocate' vulnerability
December 16th, 2000
Michel Kaempf reported a security problem in slocate (a secure
version of locate, a tool to quickly locate files on a filesystem) on
bugtraq which was originally discovered by zorgon. He discovered
there was a bug in the database reading code which made it overwrite
a internal structure with some input. He then showed this could be
exploited to trick slocate into executing arbitrary code by pointing
it to a carefully crafted database.
Please see vendor advisory:
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/
slocate_2.4-2potato1_i386.deb
MD5 checksum: ff79ebacf5cfa910608f3cdaff043255
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-986.html
* Debian: 'nano' vulnerability
December 16th, 2000
The problem that was previously reported for joe also occurs with
other editors. When nano (a free pico clone) unexpectedly dies it
tries a warning message to a new file with a predictable name (the
name of the file being edited with ".save" appended). Unfortunately
that file was not created safely which made nano vulnerable to a
symlink attack.
Please see vendor advisory:
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/
nano-tiny_0.9.23-1_i386.deb
MD5 checksum: fd018ffdb6bf1932b96473969bcf9ef9
http://security.debian.org/dists/stable/updates/main/binary-i386/
nano_0.9.23-1_i386.deb
MD5 checksum: ce7487c7aa0ce8ed1b791f51b5ece31c
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-985.html
* Debian: Zope privilege escalation vulnerability
December 19th, 2000
Last week a Zope (security advisory was released which indicated Erik
Enge found a problem in the way Zope calculates roles. In some
situations Zope checked the wrong folder hierarchy which could cause
it to grant local roles when it should not. In other words: users
with privileges in one folder could gain privileges in another
folder.
Please see vendor advisory:
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/
zope_2.1.6-5.3_i386.deb
MD5 checksum: 87b83c513e9a4f7360fe9427f5ec45c9
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-992.html
* Debian: 'zope' vulnerability
December 20th, 2000
A busy week for the Zope team: on Monday another security alert was
released revealing a potential problem found by Peter Kelly. This
problem involved incorrect protection of data updating for Image and
File objects: any user with DTML editing privileges could update the
File or Image object data directly.
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/
zope_2.1.6-5.4_i386.deb
MD5 checksum: 0107b0c7104d3cb97db6f9afc18e2005
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-999.html
+---------------------------------+
| FreeBSD Advisories | ----------------------------//
+---------------------------------+
* FreeBSD: 'bitchx' ports vulnerability
December 20th, 2000
The bitchx port, versions prior to 1.0c17_1, contains a remote
vulnerability. Through a stack overflow in the DNS parsing code, a
malicious remote user in control of their reverse DNS records may
crash a bitchx session, or cause arbitrary code to be executed by the
user running bitchx.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1001.html
* FreeBSD: 'oops' port vulnerability
December 20th, 2000
The oops port, versions prior to 1.5.2, contains remote
vulnerabilities through buffer and stack overflows in the HTML
parsing code. These vulnerabilities may allow remote users to execute
arbitrary code as the user running oops.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1002.html
* FreeBSD: "halflifeserver' ports vulnerability
December 20th, 2000
The halflifeserver port, versions prior to 3.1.0.4, contains local
and remote vulnerabilities through buffer overflows and format string
vulnerabilities. These vulnerabilities may allow remote users to
execute arbitrary code as the user running halflifeserver.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1003.html
* FreeBSD: 'ethereal' ports vulnerability
December 20th, 2000
The ethereal port, versions prior to 0.8.14, contains buffer
overflows which allow a remote attacker to crash ethereal or execute
arbitrary code on the local system as the user running ethereal,
typically the root user. These vulnerabilities are identical to those
described in advisory 00:61 relating to tcpdump.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1004.html
* FreeBSD: 'procps' vulnerability
December 18th, 2000
Unprivileged local users can gain superuser privileges due
toinsufficient access control checks on the /proc//mem and
/proc//ctl files, which gives access to a process address space
and perform various control operations on the process respectively.
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:77/procfs.4.2.patch
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-988.html
+---------------------------------+
| Mandrake Advisories | ----------------------------//
+---------------------------------+
* Mandrake: 'jpilot' vulnerability
December 16th, 2000
The jpilot program automatically creates a directory called .jpilot/
in the user's home directory with 777 (world read/write/execute)
permissions. This directory is used to store all backups,
configuration and synchronized Palm Pilot information.
Linux-Mandrake 7.2:
7.2/RPMS/jpilot-0.98.1-7.1mdk.i586.rpm
MD5 Checksum: b18bdac08b3fa7055ff1d25d5bb3ddfb
7.2/RPMS/jpilot-plugin-devel-0.98.1-7.1mdk.i586.rpm
MD5 Checksum: e52bf9543f756969e8fab8520e8156e8
7.2/SRPMS/jpilot-0.98.1-7.1mdk.src.rpm
MD5 Checksum: 072404194e6a31fc8991fb8a98cf16d8
http://www.linux-mandrake.com/en/ftp.php3
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-982.html
* Mandrake: 'netscape' buffer overflow
December 15th, 2000
A buffer overflow exists in the HTML parser code of the Netscape web
browser in all versions prior to and including 4.75. This buffer
overflow can be exploited by a remote attacker or web site.
7.2/RPMS/netscape-common-4.76-3.3mdk.i586.rpm
MD5 Checksum: e5423e05cf603032b0f2f15722f9f435
7.2/RPMS/netscape-communicator-4.76-3.3mdk.i586.rpm
MD5 Checksum: a51f2cfaf43e67e67838983b2c15e644
http://www.linux-mandrake.com/en/ftp.php3
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-981.html
* Mandrake: 'Zope' vulnerability
December 16th, 2000
There is an issue involving security registration of "legacy" names
for certain object constructors such as the constructors for DTML
Method Objects. Security was not being applied correctly for the
legacy names, making it possible to call those constructors without
the permissions that should have been required. This vulnerability
could allow anonymous users with enough knowledge of Zope to
instantiate new DTML Method instances through the web.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-987.html
* Mandrake: 'pam' vulnerabiliy [UPDATED]
December 16th, 2000
The pam_localuser module, which is a part of the pam package,
contains a buffer overflow vulnerability. This module is not used in
any default configuration and for a user to be exploited, they would
have to manually insert it into a configuration file in the
/etc/pam.d directory.
Linux-Mandrake 7.2:
7.2/RPMS/pam-0.72-13.1mdk.i586.rpm
MD5 Checksum: 8a78141a4e4104493fa3e54a3d114454
7.2/RPMS/pam-devel-0.72-13.1mdk.i586.rpm
MD5 Checksum: 6ad4ec3a6264a7b6616b87e75c3a29d3
7.2/RPMS/pam-doc-0.72-13.1mdk.i586.rpm
MD5 Checksum: b6cee6af9f62a5c335158794a9286113
7.2/SRPMS/pam-0.72-13.1mdk.src.rpm
MD5 Checksum: 3729083b850b06722a3eab2cc31d818c
http://www.linux-mandrake.com/en/ftp.php3
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-984.html
* Mandrake: 'pam' vulnerability
December 16th, 2000
The pam_localuser module, which is a part of the pam package,
contains a buffer overflow vulnerability. This module is not used in
any default configuration and for a user to be exploited, they would
have to manually insert it into a configuration file in the
/etc/pam.d directory.
Linux-Mandrake 7.2:
7.2/RPMS/pam-0.72-12.1mdk.i586.rpm
MD5 Checksum: f2dac7c4b7049e119b0172a229fb565f
7.2/RPMS/pam-devel-0.72-12.1mdk.i586.rpm
MD5 Checksum: 633f0e2f17f808ee13cfefc7e1d76743
7.2/RPMS/pam-doc-0.72-12.1mdk.i586.rpm
MD5 Checksum: 817a109423f3b9ef84b3e4419bf29b27
7.2/SRPMS/pam-0.72-12.1mdk.src.rpm
MD5 Checksum: e5b5708c721a69458e9df9361ea9fd46
http://www.linux-mandrake.com/en/ftp.php3
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-983.html
* Mandrake: slocate vulnerability
December 19th, 2000
Michael Kaempf reported a security problem in slocate (a secure
version of locate, a tool to quickly locate files on a filesystem) on
bugtraq which was originally discovered by zorgon. He discovered that
there was a bug in the database reading code which made it overwrite
an internal structure with some input. He then showed this could be
exploited to trick slocate into executing arbitrary code by pointing
it to a carefully crafted database.
Linux-Mandrake 7.2:
7.2/RPMS/slocate-2.4-1.1mdk.i586.rpm
MD5 Checksum: 9aef7c832bab7ce7c54779df4093ea77
7.2/SRPMS/slocate-2.4-1.1mdk.src.rpm
MD5 Checksum: a0ac029974980068cbe6ac3d6f4e71f9
http://www.linux-mandrake.com/en/ftp.php3
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-990.html
* Mandrake: rp-pppoe vulnerability
December 19th, 2000
rp-pppoe is a userspace PPPoE client mainly used with ADSL
connections which require PPP. Versions prior to 2.5 have a security
problem that, when exploited, causes the connection to be dropped. If
rp-pppoe receives a crafted TCP segment with an option where the
option-length field is zero (illegal), the program would enter an
infinite loop and the connection would time-out and be dropped. This
is only possible if the user uses the "Clamp MSS" option.
Linux-Mandrake 7.2:
7.2/RPMS/rp-pppoe-2.5-2.2mdk.i586.rpm
MD5 Checksum: d64a2bff24c05941624865facbc3ac8e
7.2/SRPMS/rp-pppoe-2.5-2.2mdk.src.rpm
MD5 Checksum: 0fdd0cc473288e52e64087025b93f341
http://www.linux-mandrake.com/en/ftp.php3
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-991.html
+---------------------------------+
| NetBSD Advisories | ----------------------------//
+---------------------------------+
* NetBSD: 'ftpd' buffer overflow
December 20th, 2000
A one-byte buffer overrun was found in the ftp server daemon
/usr/libexec/ftpd). It is rumored to be remotely exploitable.
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/
20001220-ftpd-1.5
Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-1008.html
* NetBSD: 'kerberised telnetd' and 'libkrb' vulnerabilities
December 20th, 2000
The combination of a too liberal implementation in telnetd and bugs
in libkrb combines to make it possible for authorized users of a
system to obtain root access on a system.
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20001220-krb
Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-1007.html
+---------------------------------+
| OpenBSD Advisories | ----------------------------//
+---------------------------------+
* OpenBSD: 'ftpd' buffer overflow
December 19th, 2000
A relatively obscure one-byte buffer overflow bug present in ftpd(8)
turns out to be a serious problem, yielding remote users root access
under certain conditions. For a system to be vulnerable, ftpd must
have been explicitly enabled by the administrator (OpenBSD ships with
it OFF by default) and the attacker must have write access to at
least one directory. Therefore, anonymous read-only FTP servers are
safe (we recommend applying the patch regardless, of course).
Non-anonymous FTP administrators should seriously consider using a
more secure transport like SSH.
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/openbsd_advisory-995.html
+---------------------------------+
| Red Hat Advisories | ----------------------------//
+---------------------------------+
* RedHat: Zope-Hotfix vulnerability
December 18th, 2000
A new Zope-Hotfix package is availble which fixes issues with
computation of local roles.
noarch: Zope-Hotfix-localroles-2000_12_15a-1.noarch.rpm
ftp://updates.redhat.com/powertools/7.0/noarch/
MD5 Checksum: a8b58411ed4e4c8238e9f05157f97516
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-989.html
* Red Hat: 'stunnel' vulnerability
December 19th, 2000
Stunnel version 3.8 (and earlier) contained a format-string
vulnerability. Version 3.9 closes this vulnerability.
Red Hat Linux 7.0:
alpha:
ftp://updates.redhat.com/7.0/alpha/stunnel-3.9-1.alpha.rpm
6ea8e52b59f22d1918d09f5ddbb4b5d5
i386:
ftp://updates.redhat.com/7.0/i386/stunnel-3.9-1.i386.rpm
ad9ac81fc70618cf66826d7f16435c6e
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-993.html
* Red Hat: 'slocate' heap overflow
December 19th, 2000
New slocate packages are availble for Red Hat Linux 6.x and Red Hat
Linux 7. These fix a problem with the database parsing code in
slocate. (slocate was not shipped with Red Hat Linux prior to version
6.0, so earlier versions are not affected.)
Red Hat Linux 7.0:
alpha:
ftp://updates.redhat.com//7.0/alpha/slocate-2.4-1.alpha.rpm
5ee5ec5f65e200e9d03f4d2dda43ce07
i386:
ftp://updates.redhat.com//7.0/i386/slocate-2.4-1.i386.rpm
ba3b1c1743ec957cb8abb05818e05854
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-996.html
* Red Hat: 'rp-pppoe' DoS
December 20th, 2000
Bad TCP packets (e.g. a SYN packet with kind=3, len=0) over a
PPP-over-Ethernet link could lock up rp-pppoe.
Red Hat Linux 7.0
alpha:
ftp://updates.redhat.com//7.0/alpha/gnupg-1.0.4-9.alpha.rpm
1f476ae8f5453655a4a61174de187d15
i386:
ftp://updates.redhat.com//7.0/i386/gnupg-1.0.4-9.i386.rpm
88ac7d34da177b6c469e0f2a0f6117e6
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-997.html
* Red Hat: two 'gnupg' vulnerabilities
December 20th, 2000
When importing keys from public key servers, GnuPG will import
private keys(also known as secret keys) in addition to public keys.
If this happens, the user's web of trust becomes corrupted.
Additionally, when used to check detached signatures, if the data
file being checked contained clearsigned data, GnuPG would not warn
the user if the detached signature was incorrect.
Red Hat Linux 7.0
alpha:
ftp://updates.redhat.com//7.0/alpha/gnupg-1.0.4-9.alpha.rpm
1f476ae8f5453655a4a61174de187d15
i386:
ftp://updates.redhat.com//7.0/i386/gnupg-1.0.4-9.i386.rpm
88ac7d34da177b6c469e0f2a0f6117e6
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-997.html
+---------------------------------+
| Trustix Advisories | ----------------------------//
+---------------------------------+
* Trustix: 'edi', tcsh', and 'ftpd-BSD' vulnerabilities
December 19th, 2000
A problem exsisted in replydirname() causing a buffer overflow and
possible exploit on certain OS and architectures. Linux/x86 is
supposedly not vulnerable to this particular bug because of 4 byte
alignment of memory, but we thought everybody would feel better with
a patched version.
For version 1.2:
bd4276648134d82d4bccc87441ee6b77 ed-0.2-17tr.i586.rpm
0a254e36df580061da0b45fbca6d5e92 ftpd-BSD-0.3.2-4tr.i586.rpm
679cb64c880fc4c7cdcbd5435cc41d01 ed-0.2-17tr.src.rpm
17435c96d6d21d47f7ebd3d70b55e27d ftpd-BSD-0.3.2-4tr.src.rpm
http://www.trustix.net/pub/Trustix/updates/
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-994.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request () linuxsecurity com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, December 22nd 2000 vuln-newsletter-admins (Dec 25)