Information Security News mailing list archives
Linux Advisory Watch, Nov 17th 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 17 Nov 2000 13:20:20 -0500
+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| November 17th, 2000 Volume 1, Number 29a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave () linuxsecurity com ben () linuxsecurity com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for named, bind, gnupg, tcsh,
ncurses, telnetd, nss_ldap, openssh, cups, modutiles, pine, and imap.
The vendors include Caldera, Debian, FreeBSD, Mandrake, Conectiva,
Immunix, Trustix,
Red Hat, Slackware and SuSE. It is critical that you update all
vulnerable packages to reduce the risk of being compromised. Many of
the vulnerabilites described are root compromises. Also, if you are
running bind/named, make
sure that you upgrade so you are not vulnerable to DoS attacks.
OpenDoc Publishing
Our sponsor this week is OpenDoc Publishing. Their 480-page
comprehensive security book, Securing and Optimizing Linux, takes a
hands-on approach to installing, optimizing, configuring, and
securing Red Hat Linux. Topics
include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more!
Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition.
http://www.linuxsecurity.com/sponsors/opendocs.html
HTML Version:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| Caldera Advisories | ----------------------------//
+---------------------------------+
* Caldera: 'named' DoS
November 13th, 2000
There's a bug in named's handling of compressed zone transfers (ZXFR)
that causes it to crash under certain circumstances. At the very
least, this is a denial of service attack. As the bug is still being
investigated, it cannot be ruled out that this bug has a more severe
security impact.
Package Name: RPMS/bind-8.2.2p7-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
MD5 Checksum: 9d8429f25c5fb3bebe2d66b1f9321e61
Package Name: RPMS/bind-doc-8.2.2p7-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
MD5 Checksum: 0e958eb01f40826f000d779dbe6b8cb3
Package Name: RPMS/bind-utils-8.2.2p7-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
MD5 Checksum: 866ff74c77e9c04a6abcddcc11dbe17b
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/caldera_advisory-873.html
+---------------------------------+
| Conectiva Advisories | ----------------------------//
+---------------------------------+
* Conectiva: 'bind' DoS
November 10th, 2000
The bind nameserver has a vulnerability regarding compressed zone
tansfers that can be used in a DoS attack. This vulnerability can
only be exploited by authorized zone transfers. The named daemon will
crash if it receives such a zone transfer request from an authorized
source address. The crash can be immediate or happen after a few
seconds or minutes, and results in a disabled DNS service.
PLEASE SEE VENDOR ADVISORY FOR UPDATED PACKAGES
* Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-860.html
* Conectiva: 'bind' update removes bind user
November 10th, 2000
Due to a packaging error, the updated bind packages for Conectiva
Linux 5.1 (CLSA-2000:338) remove the "named" user and group after
upgrading. As a result, the named daemon can not be started.
ftp://atualizacoes.conectiva.com.br/5.1/i386/
bind-8.2.2P7-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/
bind-devel-8.2.2P7-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/
bind-doc-8.2.2P7-2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/
bind-utils-8.2.2P7-2cl.i386.rpm
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/other_advisory-863.html
+---------------------------------+
| Debian Advisories | ----------------------------//
+---------------------------------+
* Debian: 'gnupg' update
November 10th, 2000
The version of gnupg that was distributed in Debian GNU/Linux 2.2 had
a logic error in the code that checks for valid signatures which
could cause false positive results: Jim Small discovered that if the
input contained multiple signed sections the exit-code gnupg returned
was only valid for the last section, so improperly signed other
sections were not noticed.
Alpha architecture: gnupg_1.0.4-1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/
MD5 checksum: f572217d63102a55a9e4704aed9b1c9d
ARM architecture: gnupg_1.0.4-1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/
MD5 checksum: eb43fb088b488002fa4c06c0d8d69eb2
Intel ia32 architecture: gnupg_1.0.4-1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/
MD5 checksum: ef2ed6b922db2ed215f2fb857db80730
Motorola 680x0 architecture: gnupg_1.0.4-1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/
MD5 checksum: 607202c40ec908fa2ab10b20a1235ff2
PowerPC architecture: gnupg_1.0.4-1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/
MD5 checksum: ade5f42869502dfb128bd2b6279ab111
Sun Sparc architecture: gnupg_1.0.4-1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/
MD5 checksum: 37a850c6363498f90d3f719ada8d71db
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/debian_advisory-865.html
* Debian: 'bind' DoS
November 12th, 2000
The version of BIND shipped with Debian GNU/Linux 2.2 is vulnerable
to a remote denial of service attack, which can cause the nameserver
to crash after accessing an uninitialized pointer. This problem is
fixed in the current maintenance release of BIND, 8.2.2P7, and in the
Debian package version 8.2.2p7-1 for both stable and unstable
releases.
Alpha architecture:
bind-dev_8.2.2p7-1_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/
MD5 checksum: 2315ecbe3d12e3b63990d3c3865757c7
bind_8.2.2p7-1_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/
MD5 checksum: 714123acb9343215f1db7069a852097b
dnsutils_8.2.2p7-1_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/
MD5 checksum: 52674605ace1f92dace748d2f395a25e
ARM architecture:
bind-dev_8.2.2p7-1_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/
MD5 checksum: ee34a99274fb5c39d7827022f97f90cd
bind_8.2.2p7-1_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/
MD5 checksum: 479bc6ee1ec7420dd66492ee86a0b4f2
dnsutils_8.2.2p7-1_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/
MD5 checksum: 9f2993e930fe124b7d781f7fcf7dd9f5
Intel ia32 architecture:
bind-dev_8.2.2p7-1_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/
MD5 checksum: 513489234a54cf0ec315614ad4d3eb6c
bind_8.2.2p7-1_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/
MD5 checksum: e43bcbf9ea61557df87a96d3554d4a51
dnsutils_8.2.2p7-1_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/
MD5 checksum: bda3b5b518413f158b7e22c86bcd256e
Motorola 680x0 architecture:
bind-dev_8.2.2p7-1_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/
MD5 checksum: fa8e79eb6df63bdb61571e0de4fd104d
bind_8.2.2p7-1_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/
MD5 checksum: a20d3db55060efffe2751d06d73d2e3b
dnsutils_8.2.2p7-1_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/
MD5 checksum: e882f568805162ded8d96d88a69f6bdb
PowerPC architecture:
bind-dev_8.2.2p7-1_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/
MD5 checksum: 7224113410d6c8d35facbb8a017c612b
bind_8.2.2p7-1_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/
MD5 checksum: 8cad0e6aedcbbd73d6341dcc7dda23f9
dnsutils_8.2.2p7-1_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/
MD5 checksum: c25d9943a4a508eb80e6e9d1c564eb29
Sun Sparc architecture:
bind-dev_8.2.2p7-1_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/
MD5 checksum: 022fe932c1b25fb6d59d5031de8a04ba
bind_8.2.2p7-1_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/
MD5 checksum: b7c02ca550277dce564375ff28ef0f2a
dnsutils_8.2.2p7-1_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/
MD5 checksum: c98c594c4846ff7a639a020e42ae7462
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/debian_advisory-869.html
* Debian: 'tcsh' update
November 10th, 2000
Proton reported on bugtraq that tcsh did not handle in-here documents
correctly. The version of tcsh that is distributed with Debian
GNU/Linux 2.2r0 also suffered from this problem. When using in-here
documents using the << syntax tcsh uses a temporary file to store the
data. Unfortunately the temporary file is not created securely and
standard symlink attacks can be used to make tcsh overwrite arbitrary
files.
Alpha architecture:
tcsh-kanji_6.09.00-10_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/
MD5 checksum: d94b88f967a30b29d0fd428651c24ee7
tcsh_6.09.00-10_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/
MD5 checksum: 35493353e4b7a0c73dc481fb114f992e
ARM architecture:
tcsh-kanji_6.09.00-10_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/
MD5 checksum: 41e52451e23c910040d13252a95ccd02
tcsh_6.09.00-10_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/
MD5 checksum: 37c93cc0c71267e1a8e9a2a0478de274
Intel ia32 architecture:
tcsh-kanji_6.09.00-10_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/
MD5 checksum: 08638761e6526431cdac955e1c4e18bc
tcsh_6.09.00-10_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/
MD5 checksum: 0893dabcc592c8d32dadc09e479e998f
Motorola 680x0 architecture:
tcsh-kanji_6.09.00-10_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/
MD5 checksum: 5cdff861f9ffec03013a3b84e6045ed8
tcsh_6.09.00-10_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/
MD5 checksum: c7d7e41f56fc7478abb27cbf81d5aec6
PowerPC architecture:
tcsh-kanji_6.09.00-10_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/
MD5 checksum: fa31d16133308159b72ae9eda0bb52a7
tcsh_6.09.00-10_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/
MD5 checksum: a158e78ee02c263b729f23b642f6835e
Sun Sparc architecture:
tcsh-kanji_6.09.00-10_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/
MD5 checksum: b75a93eb0fee0289bda3ffbc13fdd797
tcsh_6.09.00-10_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/
MD5 checksum: 556d8e1fc4d7aa25b436c65c70c9c314
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/debian_advisory-866.html
+---------------------------------+
| FreeBSD Advisories | ----------------------------//
+---------------------------------+
* FreeBSD: 'ncurses' vulnerability
November 13th, 2000
There exists an overflowable buffer in the libncurses library in the
processing of cursor movement capabilities. An attacker can force a
privileged application to use the attacker's termcap file containing
a specially crafted terminal entry, which will trigger the
vulnerability when the vulnerable ncurses code is called. This allows
them to execute arbitrary code on the local system with the
privileges of the exploited binary.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/freebsd_advisory-872.html
* FreeBSD: 'gnupg' ports vulnerability
November 10th, 2000
Versions of gnupg prior to 1.04 fail to correctly verify multiple
signatures contained in a single document. Only the first signature
encountered is actually verified, meaning that other data with
invalid signatures (e.g. data which has been tampered with by an
attacker) will not be verified, and the entire document will be
treated as having valid signatures.
Updated Package: gnupg-1.04.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/
packages-5-current/security/
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-862.html
* FreeBSD: 'telnetd' vulnerability
November 14th, 2000
Remote users without a valid login account on the server can cause
resources such as CPU and disk read bandwidth to be consumed, causing
increased server load and possibly denying service to
legitimateusers.
Vendor Patch:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/telnetd.patch
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/freebsd_advisory-876.html
* FreeBSD: 'ppp deny_incoming' vulnerability
November 14th, 2000
Remote users can cause incoming traffic which is not part of an
existing NAT session to pass the NAT gateway, which may constitute a
breach of security policy. Thus, users who are using the
deny_incoming functionality in the expectation that it provides a
"deny by default" firewall which only allows through packets known to
be part of an existing NAT session, are in fact allowing other types
of unsolicited IP traffic into their internal network.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendory Advisory:
* http://www.linuxsecurity.com/advisories/freebsd_advisory-877.html
+---------------------------------+
| Immunix Advisories | ----------------------------//
+---------------------------------+
* Immunix: 'bind' DoS
November 13th, 2000
BIND version 8.2.2-P5 has a denial of service bug. The code intended
to provide support for the transfer of compressed zone files can
crash the name server. More BIND security information can be found
at: http://www.isc.org/products/BIND/bind8.html
Package Name: bind-8.2.2_P7-1
http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/RPMS/
MD5 Checksum: 70339c6294f64e9693819038c56316d4
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/other_advisory-871.html
+---------------------------------+
| Mandrake Advisories | ----------------------------//
+---------------------------------+
* Mandrake: 'tcsh' vulnerability
November 14th, 2000
A vulnerability exists with tcsh when using the in-here documents
with the << syntax. When doing this, tcsh uses a temporary file to
store the data. Unfortunately, the temporary file is not created
securely and standard symlink attacks can be used to make tcsh
overwrite arbitrary files
Linux-Mandrake 7.0:
7.0/RPMS/tcsh-6.09.04-1.2mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
MD5 Checksum: b2ff9906f77f4f8f738f85aedcd6d1ce
Linux-Mandrake 7.1:
7.1/RPMS/tcsh-6.09.04-1.2mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
MD5 Checksum: 8e917a65861dd246f2a55786415395f5
Linux-Mandrake 7.2:
7.2/RPMS/tcsh-6.09.04-1.1mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
MD5 Checksum: 14284cbb343a88bcceca0fff6a0e6416
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/mandrake_advisory-874.html
* Mandrake: 'openssh' vulnerability
November 15th, 2000
A vulnerability exists with all versions of OpenSSH prior to 2.3.0
with regards to the X11 forwarding and ssh-agent. If agent or X11
forwarding is disabled in the ssh client configuration, the client
does not request these features during session setup. However, when
the ssh client receives an actual request asking for access to the
ssh-agent, the client fails to check whether this feature has been
negotiated during session setup. The client does not check whether
the request is in compliance with the client configuration and grants
access to the ssh-agent. A similar problem exists in the X11
forwarding implementation.
PLEASE SEE VENDOR ADVISORY FOR UPDATED PACKAGES
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/mandrake_advisory-878.html
* Mandrake: 'modutils' vulnerability
November 16th, 2000
When a device is specified at the command line that doesn't exist,
request_module is called with the user-supplied arguments passed to
the kernel. The kernel then takes the arguments and executes modprobe
with them. Arbitrary commands included in the argument for module
name (device name to ping) are then executed when popen() is called
as root.
Linux-Mandrake 7.1:
7.1/RPMS/modutils-2.3.20-1.2mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
MD5 Checksum: de9f58e8def6af9174eb53227422bb70
Linux-Mandrake 7.2:
7.2/RPMS/modutils-2.3.20-1.1mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
MD5 Checksum: 83071582ed7ae9dbe93f13a386c9f500
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/mandrake_advisory-884.html
* Mandrake: 'CUPS' vulnerability
November 16th, 2000
A problem existed with previous versions of CUPS that made CUPS
printers accessible from anywhere on the internet. A bug also existed
where CUPS would broadcast to everywhere and thus keep open dial-on-
demand lines. Both problems have been addressed in this update and by
an automatic configuration script.
Linux-Mandrake 7.2:
7.2/RPMS/cups-1.1.4-5.1mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
MD5 Checksum: 1e22b9f181bfccb1d8cb1242090ac458
7.2/RPMS/cups-devel-1.1.4-5.1mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
MD5 Checksum: 43a494baa824f7b3cdf7be7c59f34b00
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/mandrake_advisory-883.html
* Mandrake: 'nss_ldap' update
November 10th, 2000
A race condition exists in versions of nss_ldap prior to version 121.
On a system running nscd, a malicious user can cause the system to
hang.
http://www.linuxsecurity.com/advisories/mandrake_advisory-861.html
* Mandrake: 'bind' update
November 10th, 2000
A vulnerability exists with the bind nameserver dealing with
compressed zone transfers. This vulnerability can be exploited by
authorized zone transfers and used in a DoS attack. The named daemon
will crash if it receives this type of zone transfer from an
authorized source address. The crash is not necessarily immediate,
but can range from a few seconds to a few minutes from the time of
the attack.
Linux-Mandrake 7.0:
7.0/RPMS/nss_ldap-122-1.2mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
MD5 Checksum: 13907614252952438931877a2dca472a
Linux-Mandrake 7.1:
nss_ldap-122-1.1mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
MD5 Checksum: cde48c8a7e334ebd6a604dd034a294f4 7.1/RPMS/
Linux-Mandrake 7.2:
7.2/RPMS/nss_ldap-122-1.1mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
MD5 Checksum: 82a506e8c958f054275a027ead7b8b15
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/mandrake_advisory-861.html
+---------------------------------+
| RedHat Advisories | ----------------------------//
+---------------------------------+
* Redhat: 'modutils' vulnerability
November 16th, 2000
modutils, a package that helps the kernel automatically load kernel
modules (device drivers etc.) when they're needed, could be abused to
execute code as root.
Red Hat Linux 6.2
alpha:
ftp://updates.redhat.com/6.2/alpha/modutils-2.3.20-0.6.2.alpha.rpm
MD5 Checksum: 7540818796b9ab0961465f67118ffac9
sparc:
ftp://updates.redhat.com/6.2/sparc/modutils-2.3.20-0.6.2.sparc.rpm
MD5 Checksum: d8226ab998719f79f3df9d4e9a6bb88a
i386:
ftp://updates.redhat.com/6.2/i386/modutils-2.3.20-0.6.2.i386.rpm
MD5 Checksum: 206cb6ccd33a0f16803695e0246abb35
Red Hat Linux 7.0:
i386:
ftp://updates.redhat.com/7.0/i386/modutils-2.3.20-1.i386.rpm
MD5 Checksum: 166b7512c784ffaa4233e8f71ef712cd
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/redhat_advisory-882.html
* Redhat: 'bind' DoS vulnerability
November 11th, 2000
A bug in bind 8.2.2_P5 allows for a denial of service attack. If
named is open to zone transfers and recursive resolving, it will
crash after a ZXFR for the authoritative zone and a query of a remote
hostname.
Red Hat Linux 7.0:
alpha:
ftp://updates.redhat.com/7.0/alpha/bind-8.2.2_P7-1.alpha.rpm
MD5 Checksum: cdaad5917739f5c20e4d01a37750386d
sparc:
ftp://updates.redhat.com/7.0/sparc/bind-8.2.2_P7-1.sparc.rpm
MD5 Checksum: 105382156bffc1543e3907b12c2a417c
i386:
ftp://updates.redhat.com/7.0/i386/bind-8.2.2_P7-1.i386.rpm
MD5 Checksum: 3ca7a0db5c91992478737bf7564ad148
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/redhat_advisory-867.html
* Redhat: 'usermode' update
November 10th, 2000
The usermode package contains a binary (/usr/bin/userhelper), which
is used to control access to programs which are to be executed as
root. Because programs invoked by userhelper are not actually running
setuid-root, security measures built into recent versions of glibc
are not active.
Red Hat Linux 7.0:i386:
ftp://updates.redhat.com/7.0/i386/usermode-1.37-2.i386.rpm
FOR OTHER VERSIONS PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/redhat_advisory-858.html
* Redhat: 'pine' and 'imap' updates
November 10th, 2000
By adding specific headers to messages, the pine mail reader and the
imap server could be made to exit with an error message when users
attempted to manipulate mail folders containing those messages.
Red Hat Linux 7.0:i386:
ftp://updates.redhat.com/7.0/i386/pine-4.30-2.i386.rpm
MD5 Checksum: 14e10c0d1d5752708acafd31135e72cf
ftp://updates.redhat.com/7.0/i386/imap-2000-3.i386.rpm
MD5 Checksum: 0cc070b4a5092208bebbf567cf319582
ftp://updates.redhat.com/7.0/i386/imap-devel-2000-3.i386.rpm
MD5 Checksum: a94850f16ea2bb07dc1f172db422916b
FOR OTHER VERSIONS PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
* http://www.linuxsecurity.com/advisories/redhat_advisory-859.html
+---------------------------------+
| Slackware Advisories | ----------------------------//
+---------------------------------+
* Slackware: 'pine' update
November 10th, 2000
Pine versions 4.21 and before contain a buffer overflow vulnerability
which allows a remote user to execute arbitrary code on the local
client by the sending of a special-crafted email message. The
overflow occurs during the periodic "new mail" checking of an open
folder.
ftp://ftp.slackware.com/pub/slackware/slackware-current/
slakware/n1/pine.tgz
MD5 Checksum: 2f7cdbca84e9d3473c74c6cf6ed24b79
ftp://ftp.slackware.com/pub/slackware/slackware-current/
slakware/n1/imapd.tgz
MD5 Checksum: 81a5c7373e30357679fe613e38e07a01
Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-857.html
* Slackware: 'bind' DoS
November 11th, 2000
BIND version 8.2.2-P5 has a denial of service bug. The code intended
to provide support for the transfer of compressed zone files can
crash the name server. More BIND security information can be found
at: http://www.isc.org/products/BIND/bind8.html
ftp://ftp.slackware.com/pub/slackware/slackware-current/
slakware/n1/bind.tgz
MD5 Checksum: acce19918ebb3cf0159f0690e5d167ae
Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-868.html
+---------------------------------+
| SuSE Advisories | ----------------------------//
+---------------------------------+
* SuSE: 'bind' DoS
November 16th, 2000
BIND, the Berkeley Internet Name Daemon, versions before 8.2.2p7, has
been found vulnerable to two denial of service attacks: named may
crash after a compressed zone transfer request (ZXFR) and if an SRV
record (defined in RFC2782) is sent to the server.
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1
/bind8-8.2.2-139.i386.rpm
MD5 Checksum: c6f2242efe722aaa4320010e00ddc080
SuSE-6.3
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/
bind8-8.2.2-139.i386.rpm
MD5 Checksum: d3f51528ad2120cd3dc6517c2bc26c0a
PLEASE SEE VENDOR ADVISORY FOR OTHER PLATFORMS
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-881.html
* SuSE: 'modules' vulnerability
November 13th, 2000
Newer versions of the modprobe program contain a bug which allows
local users to gain root priviledges. modprobe expands given
arguments via /bin/echo and can easily be tricked into executing
commands. In order for this bug to be exploitable, a setuid root
program must be installed that can trigger the loading of modules
(such as ping6).
i386 Intel Platform:
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/
modules-2.3.11-73.i386.rpm
MD5 Checksum: 9643216a1e0c147635ef62d894a9d7ad
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/
modules-2.3.9-63.i386.rpm
MD5 Checksum: d3a95b93e549aae9a462e84d179efe45
PLEASE SEE VENDOR ADVISORY FOR OTHER PLATFORMS
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-870.html
+---------------------------------+
| Trustix Advisories | ----------------------------//
+---------------------------------+
* Trustix: bind, openssh, and modutils
November 15th, 2000
The openssh client does not enforce the "ForwardX11 no", and
"ForwardAgent no" configuration options, so that a malicious server
could force a client to forward these even if they are turned off.
http://www.linuxsecurity.com/advisories/other_advisory-880.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request () linuxsecurity com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, Nov 17th 2000 vuln-newsletter-admins (Nov 18)