Information Security News mailing list archives
Linux Advisory Watch, December 15th 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 15 Dec 2000 12:34:04 -0500
+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| December 15th, 2000 Volume 1, Number 33a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave () linuxsecurity com ben () linuxsecurity com
This week, advisories were released for tcsh, ghostscript, joe,
rp-pppoe, ed, bitchx, pam, apcupsd, mc, pico/pine, and zope. The
vendors include Conectiva, Caldera, Immunix, Mandrake, and Red Hat.
It is critical that you update all vulnerable packages to reduce the
risk of being compromised.
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
### OpenDoc Publishing ###
Our sponsor this week is OpenDoc Publishing. Their 480-page
comprehensive security book, Securing and Optimizing Linux, takes a
hands-on approach to installing, optimizing, configuring, and
securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL,
ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat
6.2 PowerTools edition.
http://www.linuxsecurity.com/sponsors/opendocs.html
-> We invite you to subscribe to ISN (InfoSec News). It is a medium
traffic list that caters to the distribution of information security
news articles and other relevant resources. To subscribe: send an
email to listserv () securityfocus com with a message body of:
subscribe ISN firstname lastname
HTML Version:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| Caldera Advisories | ----------------------------//
+---------------------------------+
* Caldera: 'irc-bx' vulnerability
December 12th, 2000
There is a bug in the BitchX IRC client shipped with OpenLinux which
allows an attacker in control of his reverse DNS mapping to crash or
even remotely access a BitchX session.
OpenLinux eDesktop 2.4: irc-BX-1.0c17-2
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
MD5 Checksum: 181880ff4a1d84ea279b2cb2488df272
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-973.html
+---------------------------------+
| Conectiva Advisories | ----------------------------//
+---------------------------------+
* Conectiva: 'pam_localuser' buffer overflow
December 13th, 2000
The pam_localuser module, part of the PAM package, has a buffer
overflow vulnerability in it. This module is *not* used in any
default configuration and to be vulnerable an user would have to
insert it manually in a configuration file in the /etc/pam.d
directory.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/pam-0.72-23cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-976.html
* Conectiva: 'ed' vulnerability
December 13th, 2000
The "ed" editor creates temporary files in an insecure way, making it
vulnerable to symlink attacks.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/pam-0.72-23cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-977.html
* Conectiva: 'rp-pppoe' vulnerability
December 12th, 2000
If rp-pppoe receives a crafted TCP segment with an option where the
option-length field is zero (illegal), the program would enter an
infinite loop and the connection would time-out and be dropped.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/rp-pppoe-2.5-1cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-970.html
* Conectiva: 'joe' symlink vulnerability
December 8th, 2000
An attacker could create a symbolic link called DEADJOE in a
directory and link it to sensitive system files. If the root user
runs joe from that directory, and the program exits abnormally, it
would add data to this sensitive file, probably corrupting it.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/joe-2.8-24cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-962.html
* Conectiva 6.0: ghostscript vulnerability [UPDATE]
December 8th, 2000
1) insecure temporary file handling could allow symlink attacks; 2) a
compile time option that was incorrectly being used made ghostscript
pick up dynamic libraries in the current directory instead of the
system directories.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
ghostscript-5.50-13cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/
ghostscript-svgalib-5.50-13cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-961.html
* Conectiva 6.0: 'tcsh' vulnerability [UPDATE]
December 8th, 2000
When using in-here documents (via the "<<" redirect), tcsh creates a
temporary file in an insecure manner that could allow a symlink
attack to overwrite arbitrary files.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tcsh-6.10.00-1cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-960.html
+---------------------------------+
| Immunix Advisories | ----------------------------//
+---------------------------------+
* Immunix: 'ed' vulnerability
December 12th, 2000
Alan Cox recently found a problem in the 'ed' editor that causes it
to create temporary files in an unsafe fashion.
Immunix 6.2 is available at:
6.2/updates/RPMS/ed-0.2-19.6x_StackGuard.i386.rpm
http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/
ed-0.2-19.6x_StackGuard.i386.rpm
99e9e6af4d17fe6e5df1a6a73f93b59b
Immunix 7.0 beta is available at:
7.0-beta/updates/RPMS/ed-0.2-19_StackGuard.i386.rpm
http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/
ed-0.2-19_StackGuard.i386.rpm
ae64d6025e6873bba7ef866b53cdffe0
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-971.html
* Immunix: 'tcsh' vulnerability
December 10th, 2000
A problem was found in the tcsh shell released for Immunix OS 6.2 and
Immunix OS 7.0-beta that could lead to a root exploit through a temp
file bug
Immunix 6.2 are available at:
6.2/updates/RPMS/tcsh-6.10-0.6.x_StackGuard.i386.rpm
http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/
tcsh-6.10-0.6.x_StackGuard.i386.rpm
604b1bdb21fa27e244cd9297328d5fc2
Immunix 7.0 beta are available at:
7.0-beta/updates/RPMS/tcsh-6.10-1_StackGuard.i386.rpm
0d8a2e6700e8a08f7325c87ea92222ee
http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/
tcsh-6.10-1_StackGuard.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-965.html
* Immunix: 'pam' vulnerability
December 10th, 2000
A problem was found in the pam module released for Immunix OS 6.2 and
Immunix OS 7.0-beta that contained a programming error in the
pam_localuser module. This module is not currently being used in the
default configuration, but upgrading is advised
Immunix 6.2 are available at:
6.2/updates/RPMS/pam-0.72-20.6.x_StackGuard.i386.rpm
http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/
pam-0.72-20.6.x_StackGuard.i386.rpm
184a57b870fdccd47d5666b0ab159712
Immunix 7.0 beta are available at:
7.0-beta/updates/RPMS/pam-0.72-37_StackGuard.i386.rpm
http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/
pam-0.72-37_StackGuard.i386.rpm
938d9e85b0757dc63bd3811adc0a1e8c
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-966.html
+---------------------------------+
| Mandrake Advisories | ----------------------------//
+---------------------------------+
* Mandrake: 'BitchX' vulnerability
December 14th, 2000
Two bugs exist in the BitchX IRC client. A possible stack overflow
condition exists if a malformed DNS answer is processed by the
client, and the second bug allows this malformed DNS record to be
embedded in a valid DNS packet. Without the second bug, the malformed
DNS record wouldn't be processed "correctly."
Update Sites: : http://www.linux-mandrake.com/en/ftp.php3
Linux-Mandrake 7.1:
7.1/RPMS/BitchX-1.0-0.c17.1.2mdk.i586.rpm
MD5 Checksum: 6a37d4159ec294b0f02d607d3bb0a1a8
Linux-Mandrake 7.2:
7.2/RPMS/BitchX-1.0-0.c17.1.1mdk.i586.rpm
MD5 Checksum: d08c8f5facc4c90770d78ab56cfc4d75
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-979.html
* Mandrake: 'mc' vulnerability
December 12th, 2000
A problem was found in the cons.saver program by Maurycy Prodeus. The
cons.saver program is a screensaver for the console that is included
in the mc package. cons.saver does not check if it is started with a
valid stdout, which combined with a bug in its check to see if its
argument is a tty (it forgets to close the file-descriptor after
opening the supposed tty), causes it to write a NULL character to the
file given as its parameter.
Update Sites: : http://www.linux-mandrake.com/en/ftp.php3
Linux-Mandrake 7.2:
7.2/RPMS/gmc-4.5.51-7.1mdk.i586.rpm
8c8889a0a630d27b36a4f665735f10ac
7.2/RPMS/mc-4.5.51-7.1mdk.i586.rpm
a48455c265d3d439a7d8e038a1f6bf9f
7.2/RPMS/mcserv-4.5.51-7.1mdk.i586.rpm
a2461debb989236e2a95fb46cf1a80a5
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-974.html
* Mandrake: 'apcupsd' vulnerability
December 12th, 2000
A problem exists with the apcupsd daemon. During startup, apcupsd
creates a PID file in /var/run with the ID of the daemon process.
This file is used by the shutdown script to kill the daemon process.
Update Sites: : http://www.linux-mandrake.com/en/ftp.php3
Linux-Mandrake 7.2:
7.2/RPMS/apcupsd-3.8.0-1.1mdk.i586.rpm
MD5 Checksum: 13d0d7582dc9539fd43165caea173bc0
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-972.html
* Mandrake: 'ed' vulnerability
December 10th, 2000
Alan Cox discovered that GNU ed (a classed line editor tool) creates
temporary files unsafely.
Update Sites: : http://www.linux-mandrake.com/en/ftp.php3
Linux-Mandrake 7.1:
7.1/RPMS/ed-0.2-17.1mdk.i586.rpm
MD5 Checksum: 9d41ed3fc65d8f096d329c6ac8a11812
7.1/SRPMS/ed-0.2-17.1mdk.src.rpm
MD5 Checksum: c1e68a7d63f72c5108a3a85346786de0
Linux-Mandrake 7.2:
7.2/RPMS/ed-0.2-21.1mdk.i586.rpm
MD5 Checksum: 8ac697e3a3117f0221bd8bce6e08f2ca
7.2/SRPMS/ed-0.2-21.1mdk.src.rpm
MD5 Checksum: 9129468ee9043ab1272ff9f9cfb22f2f
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-963.html
+---------------------------------+
| Pine Advisories | ----------------------------//
+---------------------------------+
* 'pico' symlink vulnerability
December 11th, 2000
Upon abnormal exit, the text editor saves any changes made to the
file being edited into a new file in the current working directory
labeled filename.save (where filename will correspond to the name of
the file being edited, e.g. test.txt will be saved as test.txt.save).
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-968.html
* 'pine' temp file vulnerability
December 11th, 2000
You can simply symlink this file(/tmp/pico.) to another file
that doesn't exist. When victim is editing message victim editor vi
follows symlinks and creates another file. By removing this symlink
and creating your own temporary file and making it writable to
victim, you can hijack his mail message.
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-969.html
+---------------------------------+
| Red Hat Advisories | ----------------------------//
+---------------------------------+
* Red Hat: 'Bitchx' vulnerability
December 13th, 2000
A problem exists where BitchX will process malformed DNS answers,
allowing an attacker to crash the client, or possibly access the
BitchX session remotely.
Red Hat Powertools 7.0:
alpha:
ftp://updates.redhat.com/powertools/7.0/alpha/
BitchX-1.0c17-4.alpha.rpm
6f31a2be5e84f99b83210aec219d24e
ftp://updates.redhat.com/powertools/7.0/alpha/
gtkBitchX-1.0c17-4.alpha.rpm
157d026dded2ff8417a55ff793dbc26a
i386:
ftp://updates.redhat.com/powertools/7.0/i386/
BitchX-1.0c17-4.i386.rpm
c17d86c9b40a179fa6b069ec43c374a4
ftp://updates.redhat.com/powertools/7.0/i386/
gtkBitchX-1.0c17-4.i386.rpm
461cf25450f5b3ba1f3a7d6b76c42eaa
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-978.html
* Red Hat: 'Zope' vulnerability
December 12th, 2000
A vulnerablity exists in previously released versions of Zope where
users can create new DTML method instances through the Web without
having the correct permissions.
PLEASE SEE VENDOR ADVISORY FOR ZOPE UPDATES
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-975.html
* Red Hat: 'ed' vulnerability
December 11th, 2000
The ed editor used files in /tmp in an insecure fashion. It was
possible for local users to exploit this vulnerability to modify
files that they normally could not and gain elevated privilege.
PLEASE SEE VENDOR ADVISORY FOR OLDER VERSIONS
7.0/i386/ed-0.2-19.i386.rpm
ftp://updates.redhat.com/7.0/i386/ed-0.2-19.i386.rpm
6186b80b1deba06a1d3d99e30e2270d0
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-967.html
* Vulnerabilities in KTH Kerberos IV
December 10th, 2000
The vulnerabilities may lead to local and remote root compromise if
the system supports Kerberos authentication and uses the KTH
implementation (as is the case with e.g. OpenBSD per default). The
system needn't be specifically configured to use Kerberos for all of
the issues to be exploitable; some of the vulnerabilities are
exploitable even if Kerberos is disabled by commenting out the realm
name in the "krb.conf" file.
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-964.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request () linuxsecurity com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, December 15th 2000 vuln-newsletter-admins (Dec 17)