Information Security News mailing list archives
Linux Advisory Watch, December 15th 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 15 Dec 2000 12:34:04 -0500
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | December 15th, 2000 Volume 1, Number 33a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com This week, advisories were released for tcsh, ghostscript, joe, rp-pppoe, ed, bitchx, pam, apcupsd, mc, pico/pine, and zope. The vendors include Conectiva, Caldera, Immunix, Mandrake, and Red Hat. It is critical that you update all vulnerable packages to reduce the risk of being compromised. Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. ### OpenDoc Publishing ### Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html -> We invite you to subscribe to ISN (InfoSec News). It is a medium traffic list that caters to the distribution of information security news articles and other relevant resources. To subscribe: send an email to listserv () securityfocus com with a message body of: subscribe ISN firstname lastname HTML Version: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Caldera Advisories | ----------------------------// +---------------------------------+ * Caldera: 'irc-bx' vulnerability December 12th, 2000 There is a bug in the BitchX IRC client shipped with OpenLinux which allows an attacker in control of his reverse DNS mapping to crash or even remotely access a BitchX session. OpenLinux eDesktop 2.4: irc-BX-1.0c17-2 ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ MD5 Checksum: 181880ff4a1d84ea279b2cb2488df272 Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-973.html +---------------------------------+ | Conectiva Advisories | ----------------------------// +---------------------------------+ * Conectiva: 'pam_localuser' buffer overflow December 13th, 2000 The pam_localuser module, part of the PAM package, has a buffer overflow vulnerability in it. This module is *not* used in any default configuration and to be vulnerable an user would have to insert it manually in a configuration file in the /etc/pam.d directory. ftp://atualizacoes.conectiva.com.br/6.0/RPMS/pam-0.72-23cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-976.html * Conectiva: 'ed' vulnerability December 13th, 2000 The "ed" editor creates temporary files in an insecure way, making it vulnerable to symlink attacks. ftp://atualizacoes.conectiva.com.br/6.0/RPMS/pam-0.72-23cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-977.html * Conectiva: 'rp-pppoe' vulnerability December 12th, 2000 If rp-pppoe receives a crafted TCP segment with an option where the option-length field is zero (illegal), the program would enter an infinite loop and the connection would time-out and be dropped. ftp://atualizacoes.conectiva.com.br/6.0/RPMS/rp-pppoe-2.5-1cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-970.html * Conectiva: 'joe' symlink vulnerability December 8th, 2000 An attacker could create a symbolic link called DEADJOE in a directory and link it to sensitive system files. If the root user runs joe from that directory, and the program exits abnormally, it would add data to this sensitive file, probably corrupting it. ftp://atualizacoes.conectiva.com.br/6.0/RPMS/joe-2.8-24cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-962.html * Conectiva 6.0: ghostscript vulnerability [UPDATE] December 8th, 2000 1) insecure temporary file handling could allow symlink attacks; 2) a compile time option that was incorrectly being used made ghostscript pick up dynamic libraries in the current directory instead of the system directories. ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ ghostscript-5.50-13cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ ghostscript-svgalib-5.50-13cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-961.html * Conectiva 6.0: 'tcsh' vulnerability [UPDATE] December 8th, 2000 When using in-here documents (via the "<<" redirect), tcsh creates a temporary file in an insecure manner that could allow a symlink attack to overwrite arbitrary files. ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tcsh-6.10.00-1cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-960.html +---------------------------------+ | Immunix Advisories | ----------------------------// +---------------------------------+ * Immunix: 'ed' vulnerability December 12th, 2000 Alan Cox recently found a problem in the 'ed' editor that causes it to create temporary files in an unsafe fashion. Immunix 6.2 is available at: 6.2/updates/RPMS/ed-0.2-19.6x_StackGuard.i386.rpm http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/ ed-0.2-19.6x_StackGuard.i386.rpm 99e9e6af4d17fe6e5df1a6a73f93b59b Immunix 7.0 beta is available at: 7.0-beta/updates/RPMS/ed-0.2-19_StackGuard.i386.rpm http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/ ed-0.2-19_StackGuard.i386.rpm ae64d6025e6873bba7ef866b53cdffe0 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-971.html * Immunix: 'tcsh' vulnerability December 10th, 2000 A problem was found in the tcsh shell released for Immunix OS 6.2 and Immunix OS 7.0-beta that could lead to a root exploit through a temp file bug Immunix 6.2 are available at: 6.2/updates/RPMS/tcsh-6.10-0.6.x_StackGuard.i386.rpm http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/ tcsh-6.10-0.6.x_StackGuard.i386.rpm 604b1bdb21fa27e244cd9297328d5fc2 Immunix 7.0 beta are available at: 7.0-beta/updates/RPMS/tcsh-6.10-1_StackGuard.i386.rpm 0d8a2e6700e8a08f7325c87ea92222ee http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/ tcsh-6.10-1_StackGuard.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-965.html * Immunix: 'pam' vulnerability December 10th, 2000 A problem was found in the pam module released for Immunix OS 6.2 and Immunix OS 7.0-beta that contained a programming error in the pam_localuser module. This module is not currently being used in the default configuration, but upgrading is advised Immunix 6.2 are available at: 6.2/updates/RPMS/pam-0.72-20.6.x_StackGuard.i386.rpm http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/ pam-0.72-20.6.x_StackGuard.i386.rpm 184a57b870fdccd47d5666b0ab159712 Immunix 7.0 beta are available at: 7.0-beta/updates/RPMS/pam-0.72-37_StackGuard.i386.rpm http://www.immunix.org/ImmunixOS/7.0-beta/updates/RPMS/ pam-0.72-37_StackGuard.i386.rpm 938d9e85b0757dc63bd3811adc0a1e8c Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-966.html +---------------------------------+ | Mandrake Advisories | ----------------------------// +---------------------------------+ * Mandrake: 'BitchX' vulnerability December 14th, 2000 Two bugs exist in the BitchX IRC client. A possible stack overflow condition exists if a malformed DNS answer is processed by the client, and the second bug allows this malformed DNS record to be embedded in a valid DNS packet. Without the second bug, the malformed DNS record wouldn't be processed "correctly." Update Sites: : http://www.linux-mandrake.com/en/ftp.php3 Linux-Mandrake 7.1: 7.1/RPMS/BitchX-1.0-0.c17.1.2mdk.i586.rpm MD5 Checksum: 6a37d4159ec294b0f02d607d3bb0a1a8 Linux-Mandrake 7.2: 7.2/RPMS/BitchX-1.0-0.c17.1.1mdk.i586.rpm MD5 Checksum: d08c8f5facc4c90770d78ab56cfc4d75 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-979.html * Mandrake: 'mc' vulnerability December 12th, 2000 A problem was found in the cons.saver program by Maurycy Prodeus. The cons.saver program is a screensaver for the console that is included in the mc package. cons.saver does not check if it is started with a valid stdout, which combined with a bug in its check to see if its argument is a tty (it forgets to close the file-descriptor after opening the supposed tty), causes it to write a NULL character to the file given as its parameter. Update Sites: : http://www.linux-mandrake.com/en/ftp.php3 Linux-Mandrake 7.2: 7.2/RPMS/gmc-4.5.51-7.1mdk.i586.rpm 8c8889a0a630d27b36a4f665735f10ac 7.2/RPMS/mc-4.5.51-7.1mdk.i586.rpm a48455c265d3d439a7d8e038a1f6bf9f 7.2/RPMS/mcserv-4.5.51-7.1mdk.i586.rpm a2461debb989236e2a95fb46cf1a80a5 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-974.html * Mandrake: 'apcupsd' vulnerability December 12th, 2000 A problem exists with the apcupsd daemon. During startup, apcupsd creates a PID file in /var/run with the ID of the daemon process. This file is used by the shutdown script to kill the daemon process. Update Sites: : http://www.linux-mandrake.com/en/ftp.php3 Linux-Mandrake 7.2: 7.2/RPMS/apcupsd-3.8.0-1.1mdk.i586.rpm MD5 Checksum: 13d0d7582dc9539fd43165caea173bc0 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-972.html * Mandrake: 'ed' vulnerability December 10th, 2000 Alan Cox discovered that GNU ed (a classed line editor tool) creates temporary files unsafely. Update Sites: : http://www.linux-mandrake.com/en/ftp.php3 Linux-Mandrake 7.1: 7.1/RPMS/ed-0.2-17.1mdk.i586.rpm MD5 Checksum: 9d41ed3fc65d8f096d329c6ac8a11812 7.1/SRPMS/ed-0.2-17.1mdk.src.rpm MD5 Checksum: c1e68a7d63f72c5108a3a85346786de0 Linux-Mandrake 7.2: 7.2/RPMS/ed-0.2-21.1mdk.i586.rpm MD5 Checksum: 8ac697e3a3117f0221bd8bce6e08f2ca 7.2/SRPMS/ed-0.2-21.1mdk.src.rpm MD5 Checksum: 9129468ee9043ab1272ff9f9cfb22f2f Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-963.html +---------------------------------+ | Pine Advisories | ----------------------------// +---------------------------------+ * 'pico' symlink vulnerability December 11th, 2000 Upon abnormal exit, the text editor saves any changes made to the file being edited into a new file in the current working directory labeled filename.save (where filename will correspond to the name of the file being edited, e.g. test.txt will be saved as test.txt.save). PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-968.html * 'pine' temp file vulnerability December 11th, 2000 You can simply symlink this file(/tmp/pico.) to another file that doesn't exist. When victim is editing message victim editor vi follows symlinks and creates another file. By removing this symlink and creating your own temporary file and making it writable to victim, you can hijack his mail message. PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-969.html +---------------------------------+ | Red Hat Advisories | ----------------------------// +---------------------------------+ * Red Hat: 'Bitchx' vulnerability December 13th, 2000 A problem exists where BitchX will process malformed DNS answers, allowing an attacker to crash the client, or possibly access the BitchX session remotely. Red Hat Powertools 7.0: alpha: ftp://updates.redhat.com/powertools/7.0/alpha/ BitchX-1.0c17-4.alpha.rpm 6f31a2be5e84f99b83210aec219d24e ftp://updates.redhat.com/powertools/7.0/alpha/ gtkBitchX-1.0c17-4.alpha.rpm 157d026dded2ff8417a55ff793dbc26a i386: ftp://updates.redhat.com/powertools/7.0/i386/ BitchX-1.0c17-4.i386.rpm c17d86c9b40a179fa6b069ec43c374a4 ftp://updates.redhat.com/powertools/7.0/i386/ gtkBitchX-1.0c17-4.i386.rpm 461cf25450f5b3ba1f3a7d6b76c42eaa Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-978.html * Red Hat: 'Zope' vulnerability December 12th, 2000 A vulnerablity exists in previously released versions of Zope where users can create new DTML method instances through the Web without having the correct permissions. PLEASE SEE VENDOR ADVISORY FOR ZOPE UPDATES Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-975.html * Red Hat: 'ed' vulnerability December 11th, 2000 The ed editor used files in /tmp in an insecure fashion. It was possible for local users to exploit this vulnerability to modify files that they normally could not and gain elevated privilege. PLEASE SEE VENDOR ADVISORY FOR OLDER VERSIONS 7.0/i386/ed-0.2-19.i386.rpm ftp://updates.redhat.com/7.0/i386/ed-0.2-19.i386.rpm 6186b80b1deba06a1d3d99e30e2270d0 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-967.html * Vulnerabilities in KTH Kerberos IV December 10th, 2000 The vulnerabilities may lead to local and remote root compromise if the system supports Kerberos authentication and uses the KTH implementation (as is the case with e.g. OpenBSD per default). The system needn't be specifically configured to use Kerberos for all of the issues to be exploitable; some of the vulnerabilities are exploitable even if Kerberos is disabled by commenting out the realm name in the "krb.conf" file. PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-964.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, December 15th 2000 vuln-newsletter-admins (Dec 17)