Information Security News mailing list archives
Linux Advisory Watch, Nov 24th 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 24 Nov 2000 19:05:23 -0500
+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| November 24th, 2000 Volume 1, Number 30a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave () linuxsecurity com ben () linuxsecurity com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for modutils, ghostscript,
elvis-tiny, xmcd, ncurses, joe, ethereal, tcpdump, CUPS, cron,
openssh, tcsh/csh, php, thttpd, curl, mgetty, telnet, pine. The
vendors include Conectiva, Debain, FreeBSD, Mandrake and Red Hat.
It was a big week for both Debain and FreeBSD. It is critical that
you update all vulnerable packages to reduce the risk of being
compromised.
### OpenDoc Publishing ###
Our sponsor this week is OpenDoc Publishing. Their 480-page
comprehensive security book, Securing and Optimizing Linux, takes a
hands-on approach to installing, optimizing, configuring, and
securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL,
ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat
6.2 PowerTools edition.
http://www.linuxsecurity.com/sponsors/opendocs.html
HTML Version:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| Conectiva Advisories | ----------------------------//
+---------------------------------+
* Conectiva: 'modutils' vulnerability
November 22nd, 2000
The modutils package contains an utility called modprobe which is
normally used by the kernel when loading modules on demand. In
versions higher that 2.1.121, the modprobe utility could be tricked
into executing commands supplied as a module name. A normal user
cannot load kernel modules, but he/she can make the kernel at least
try to load a module with a given name by other means. If, as a
result, modprobe is called (with root privileges), the commands will
be executed as root or could at least be interpreted as options for
the modprobe program.
ftp://atualizacoes.conectiva.com.br/5.1/i386/
modutils-2.3.21-1cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-908.html
+---------------------------------+
| Debian Advisories | ----------------------------//
+---------------------------------+
* Debian: 'ghostscript' vulnerabilities
November 23rd, 2000
ghostscript uses temporary files to do some of its work.
Unfortunately the method used to create those files wasn't secure:
mktemp was used to create a name for a temporary file, but the file
was not opened safely. A second problem is that during build the
LD_RUN_PATH environment variable was set to the empty string, which
causes the dynamic linker to look in the current directory for shared
libraries.
Alpha architecture: gs_5.10-10.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/
MD5 checksum: 72b77c03a2718fe983e177719242446f
ARM architecture: gs_5.10-10.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/
MD5 checksum: 5b9b95200a1a0045599e2255ee717403
Intel ia32 architecture: gs_5.10-10.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/
MD5 checksum: 567e56445bd8f483c8d46fc0d7dd89c3
Motorola 680x0 architecture: gs_5.10-10.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/
MD5 checksum: 7ea2f538d5aae483ef560975a27601e9
PowerPC architecture: gs_5.10-10.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/
MD5 checksum: 4fcaf6cb5ade143468562f482c2482d2
Sun Sparc architecture: gs_5.10-10.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/
MD5 checksum: 85c6eced60413022596098b57fcf2e58
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-913.html
* Debian: 'modutils' vulnerability
November 22nd, 2000
In an ideal world modprobe should trust the kernel to only pass valid
parameters to modprobe. However he has found at least one local root
exploit because high level kernel code passed unverified parameters
direct from the user to modprobe. So modprobe no longer trusts kernel
input and switches to a safemode.
Alpha architecture: modutils_2.3.11-12_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/
MD5 checksum: 44ac46a4689bcbfe2f80ea1d4dcbbd6a
ARM architecture: modutils_2.3.11-12_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/
MD5 checksum: 7f6608a182324509ed24e7289fe4e3cd
Intel ia32 architecture: modutils_2.3.11-12_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/
MD5 checksum: 5050bd60fabb74e1814afc4f91b99e7f
Motorola 680x0 architecture: modutils_2.3.11-12_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/
MD5 checksum: 0925f9813b4bd2627e9302b092fcefa0
PowerPC architecture: modutils_2.3.11-12_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/
MD5 checksum: 5b469eb86dd396de058752c0c053b93d
Sun Sparc architecture: modutils_2.3.11-12_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/
MD5 checksum: 988da3bc5908fd6884201b8947f91608
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-892.html
* Debian: 'joe' symlink vulnerability
November 22nd, 2000
When joe (Joe's Own Editor) dies due to a signal instead of a normal
exit it saves a list of the files it is editing to a file called
`DEADJOE' in its current directory. Unfortunately this wasn't done
safely which made joe vulnerable to a symlink attack.
Alpha architecture: joe_2.8-15.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/
MD5 checksum: defbc5c39a2ae8ed000b7b302ecd339f
ARM architecture: joe_2.8-15.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/
MD5 checksum: bcb70726840c2cf11cba068ce2a826be
Intel ia32 architecture: joe_2.8-15.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/
MD5 checksum: 21444255b240be01132208e5cb1d3439
Motorola 680x0 architecture: joe_2.8-15.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/
MD5 checksum: a4b275c324956489bf7558d42a80f22f
PowerPC architecture: joe_2.8-15.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/
MD5 checksum: 689d54abe039ded6e82bf60115737631
Sun Sparc architecture: joe_2.8-15.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/
MD5 checksum: 8846236e9158cf3f3d7f1b8edce73d40
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-903.html
* Debian: 'ethereal' buffer overflow
November 22nd, 2000
hacksware reported a buffer overflow in the AFS packet parsing code
in ethereal. Gerald Combs then found more overflows in the netbios
and ntp decoding logic as well. An attacker can exploit those
overflows by sending carefully crafted packets to a network that is
being monitored by ethereal.
Alpha architecture: ethereal_0.8.0-2potato_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/
MD5 checksum: 82f6fd38b2e7cab8b867ac52dae895fd
ARM architecture: ethereal_0.8.0-2potato_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/
MD5 checksum: 0a704256847208f89811650cc964644b
Intel ia32 architecture: ethereal_0.8.0-2potato_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/
MD5 checksum: e388da4ca483cf327dc784c1193d86f3
PowerPC architecture: ethereal_0.8.0-2potato_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/
MD5 checksum: 530905f2a5fa5a62ebad6207aec91588
Sun Sparc architecture: ethereal_0.8.0-2potato_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/
MD5 checksum: 30a1e8df61a40ede30a005ad12d43fef
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-904.html
* Debian: 'ncurses' buffer overflows
November 22nd, 2000
The version of the ncurses display library shipped with Debian
GNU/Linux 2.2 is vulnerable to several buffer overflows in the
parsing of terminfo database files. This problem was discovered by
Jouko Pynnnen . The problems are only exploitable in the presence of
setuid binaries linked to ncurses which use these particular
functions, including xmcd versions before 2.5pl1-7.1.
UPDATES AVAILABLE IN VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-905.html
* Debian: 'xmcd' vulnerability
November 22nd, 2000
The Debian GNU/Linux xmcd package has historically installed two
setuid helpers for accessing cddb databases and SCSI cdrom drives.
More recently, the package offered the administrator the chance to
remove these setuid flags, but did so incorrectly. A buffer overflow
in ncurses, linked to the "cda" binary, allowed a root exploit. Fixed
ncurses packages have been released, as well as fixed xmcd packages
which do not install this binary with a setuid flag.
UPDATES AVAILABLE IN VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-906.html
* Debian: 'elvis-tiny' vulnerability
November 22nd, 2000
Topi Miettinen audited elvis-tiny and raised an issue covering the
use and creation of temporary files. Those files are created with a
predictable pattern and O_EXCL flag is not used when opening. This
makes users of elvis-tiny vulnerable to race conditions and/or
datalossage.
Alpha architecture: elvis-tiny_1.4-10_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/
MD5 checksum: 2590ee56961063492e4ea9042405cff0
ARM architecture: elvis-tiny_1.4-10_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/
MD5 checksum: 7e7d705d069d12f9a6f2aafd887f16d5
Intel ia32 architecture:elvis-tiny_1.4-10_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/
MD5 checksum: 5c53b7b9b8f9f61e64d39f51a57a684c
Motorola 680x0 architecture: elvis-tiny_1.4-10_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/
MD5 checksum: c4198630e2860fb4ed0acc3f2d28f3fa
PowerPC architecture: elvis-tiny_1.4-10_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/
MD5 checksum: e2578f19a8d8ebac6b68e7bccb4a263d
Sun Sparc architecture: elvis-tiny_1.4-10_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/
MD5 checksum: 15c862e3debe027092edba3ab4ae62b3
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-910.html
* Debian: 'CUPS' update
November 19th, 2000
The first problem is not a problem either in Debian's potato (2.2) or
woody (unstable). Our cupsys packages are shipped with browsing
turned off by default. The second problem has to do with CUPS's
configuration. CUPS does access control in a similar way to Apache,
and is configured by default in a similar way to Apache.
UPDATES AVAILBLE IN VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-890.html
* Debian: 'cron' vulnerability
November 18th, 2000
The version of Vixie Cron shipped with Debian GNU/Linux 2.2 is
vulnerable to a local attack, discovered by Michal Zalewski. Several
problems, including insecure permissions on temporary files and race
conditions in their deletion, allowed attacks from a denial of
service (preventing the editing of crontabs) to an escalation of
priviledge (when another user edited their crontab).
Alpha architecture: cron_3.0pl1-57.1_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/
MD5 checksum: 3b146f5227182343d3b20cf8fce8a86c
ARM architecture: cron_3.0pl1-57.1_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/
MD5 checksum: 559e80e83abf371a8d09759ee900daf5
Intel IA32 architecture: cron_3.0pl1-57.1_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/
MD5 checksum: 922bb72b07a05fb888771364697f52e1
Motorola 680x0 architecture: cron_3.0pl1-57.1_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/
MD5 checksum: 2e0d8152ec03a66bb88ba84215fe4de3
PowerPC architecture: cron_3.0pl1-57.1_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/
MD5 checksum: 16ad8c4a26436239e7a25260340be6d5
Sun Sparc architecture: cron_3.0pl1-57.1_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/
MD5 checksum: 2bd401a635eedc47e9f6dd1652f71e35
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-889.html
* Debian: 'openssh' vulnerability
November 18th, 2000
The adv.fwd security advisory from OpenBSD reported a problem with
openssh that Jacob Langseth found: when the connection is established
the remote ssh server can force the ssh client to enable agent and
X11 forwarding.
Alpha architecture:
ssh-askpass-gnome_1.2.3-9.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/
MD5 checksum: a8b51ca7b67cb0e5aeedac4fa301d18c
ssh_1.2.3-9.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/
MD5 checksum: bb58e19e240adfe940fbebe2364f6f35
ARM architecture:
ssh-askpass-gnome_1.2.3-9.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/
MD5 checksum: 543e76b02e7cfdb35f9b92365dc4610b
ssh_1.2.3-9.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/
MD5 checksum: ed70bc90de326bfec9899f4ed0ac5b6d
Intel ia32 architecture:
ssh-askpass-gnome_1.2.3-9.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/
MD5 checksum: a03ebc405c792bbef06d4f3235f0a0d3
ssh_1.2.3-9.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/
MD5 checksum: c1dfbadec6f9ef38b1ed9391bb1e8c52
Motorola 680x0 architecture:
sh-askpass-gnome_1.2.3-9.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/
MD5 checksum: dcdffa2a00132500621d4eb32ecbae9a
ssh_1.2.3-9.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/
MD5 checksum: e0059e6bfe72a14a18803a507884d194
PowerPC architecture:
ssh-askpass-gnome_1.2.3-9.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/
MD5 checksum: 4354d03dc3030da57bb1ce91fac6247a
ssh_1.2.3-9.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/
MD5 checksum: 5419aab89a4270933849430efdc0c3d2
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-888.html
* Debian: 'modutils' vulnerability
November 20th, 2000
In an ideal world modprobe should trust the kernel to only pass valid
parameters to modprobe. However he has found at least one local root
exploit because high level kernel code passed unverified parameters
direct from the user to modprobe. So modprobe no longer trusts kernel
input and switches to a safemode.
Alpha architecture: modutils_2.3.11-13.1_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/
MD5 checksum: 6e4d54d87129ff14cbb667c69454bf0f
ARM architecture: modutils_2.3.11-13.1_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/
MD5 checksum: 12d4bd14fbc6f5bea5e399e886fef1bd
Intel ia32 architecture: modutils_2.3.11-13.1_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/
MD5 checksum: 14c86f702cfed261eb65fdcecaab9c4e
Motorola 680x0 architecture: modutils_2.3.11-13.1_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/
MD5 checksum: 41579a25f953981cc3148aee14699145
PowerPC architecture: modutils_2.3.11-13.1_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/
MD5 checksum: b551d48435268e338e673f21f08d997d
Sun Sparc architecture: modutils_2.3.11-13.1_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/
MD5 checksum: a96dee6c2525ac409bd3c58c711133fe
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-911.html
* Debian: 'tcpdump' vulnerability
November 20th, 2000
During internal source code auditing by FreeBSD several buffer
overflows were found which allow an attacker to make tcpdump crash by
sending carefully crafted packets to a network that is being
monitored withtcpdump.
Alpha architecture: tcpdump_3.4a6-4.2_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/
MD5 checksum: 7f89d984dbe54116c5aa34aae93e5357
ARM architecture: tcpdump_3.4a6-4.2_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/
MD5 checksum: 69dd2892ef04adf55f74b80828c26f5e
Intel ia32 architecture: tcpdump_3.4a6-4.2_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/
MD5 checksum: 906068aaeebbcb5f50ea1b2dd1aec4c0
Motorola 680x0 architecture: tcpdump_3.4a6-4.2_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/
MD5 checksum: 17c6feed12c3875d051659526f16393f
PowerPC architecture: tcpdump_3.4a6-4.2_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/
MD5 checksum: c850bdecfe6aded7728ef4b6d6549d8e
Sun Sparc architecture: tcpdump_3.4a6-4.2_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/
MD5 checksum: b7fbc7275e859c0b0db165349ecafaf0
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-893.html
+---------------------------------+
| FreeBSD Advisories | ----------------------------//
+---------------------------------+
* FreeBSD: 'curl' vulnerability
November 20th, 2000
Malicious FTP server operators can execute arbitrary code on the
local system when a file is downloaded from this server. If you have
not chosen to install the curl port/package, then your system is not
vulnerable to this problem.
PATCH AVAILABLE IN VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-895.html
* FreeBSD: 'thttpd' ports vulnerability
November 20th, 2000
Remote users may access any file on the system accessible to the web
server user (user 'nobody' in the default installation). If you have
not chosen to install the thttpd port/package, then your system is
not vulnerable to this problem.
PATCH AVAILABLE IN VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-896.html
* FreeBSD: 'php' ports vulnerability
November 20th, 2000
Malicious remote users can execute arbitrary code on the local system
as the user running the webserver (typically user 'nobody'). This
vulnerability requires error logging to be enabled in php.ini or by
using the syslog() php function in a script.
PATCH AVAILABLE IN VENDOR ADVISORY
Vendor Patch:
http://www.linuxsecurity.com/advisories/freebsd_advisory-897.html
* FreeBSD: 'telnet' vulnerability
November 20th, 2000
Remote users without a valid login account on the server can cause
resources such as CPU and disk read bandwidth to be consumed, ausing
increased server load and possibly denying service to
legitimateusers.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/
telnetd.patch.v1.1
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/
telnetd.patch.v1.1.asc
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-898.html
* FreeBSD: 'ncurses' vulnerability
November 20th, 2000
Certain setuid/setgid software (including FreeBSD base system
utilities and third party ports/packages) may be vulnerable to a
local exploit yielding privileged access. The /usr/bin/systat utility
is known to be vulnerable to this problem in ncurses. At this time is
unknown whether /usr/bin/top and /usr/sbin/lpc are also affected. The
problems were corrected prior to the release of FreeBSD 4.2.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/
scan_ncurses.sh
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/
test_ncurses.sh
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-899.html
* FreeBSD: 'tcsh/csh' vulnerability
November 20th, 2000
Unprivileged local users can cause an arbitrary file writable by a
victim to be overwritten when the victim invokes the '<<' operator in
csh or tcsh (e.g. from within a shell script). If you have not
installed the tcsh or 44bsd-csh ports on your 4.1.1-STABLE system
dated after the correction date, your system is not vulnerable to
this problem.
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/tcsh.patch
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-900.html
* FreeBSD: 'mgetty' vulnerability
November 20th, 2000
Unprivileged local users may create or overwrite any file on
thesystem. If you have not chosen to install the mgetty port/package,
then your system is not vulnerable to this problem.
PATCH AVAILABLE IN VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-894.html
+---------------------------------+
| Mandrake Advisories | ----------------------------//
+---------------------------------+
* Mandrake: 'pine' vulnerability
November 21st, 2000
By adding specific headers to messages, the pine mail reader could be
made to exit with an error message when users attempted to manipulate
mail folders containing those messages.
Linux-Mandrake 7.1:
MD5 Checksum: caf4defdd635fa882b35c16b0f556683
7.1/RPMS/pine-4.30-3.2mdk.i586.rpm
MD5 Checksum: 95a4a83fe3c602f9fc1416eff107952c
7.1/SRPMS/pine-4.30-3.2mdk.src.rpm
http://www.linux-mandrake.com/en/security/
Linux-Mandrake 7.2:
MD5 Checksum: 4213c046974d17cbce020814636de281
7.2/RPMS/pine-4.30-3.1mdk.i586.rpm
MD5 Checksum: eb24c5cc0c4878206b19c1f459831f39
7.2/SRPMS/pine-4.30-3.1mdk.src.rpm
http://www.linux-mandrake.com/en/security/
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-902.html
* Mandrake: 'joe' symlink vulnerability
November 21st, 2000
When exiting joe in a non-standard way (such as a system crash,
closing an xterm, or a network connection going down), joe will
unconditionally append its open buffers to the file DEADJOE. This can
be exploited by the creation of DEADJOE symlinks in directories where
root would normally use joe. In this way, joe could be used to append
garbage to potentially sensitive files, resulting in a denial of
service or other problems.
Linux-Mandrake 7.1:
MD5 Checksum: 970975000a64dc08d8498f8d3e5d25f8
http://www.linux-mandrake.com/en/security/
7.1/RPMS/joe-2.8-21.2mdk.i586.rpm
Linux-Mandrake 7.2:
MD5 Checksum: 409c7433858b819619f481597fbb18ea
http://www.linux-mandrake.com/en/security/
7.2/RPMS/joe-2.8-21.1mdk.i586.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-901.html
+---------------------------------+
| Red Hat Advisories | ----------------------------//
+---------------------------------+
* Redhat: 'openssh' vulnerability
November 22nd, 2000
An OpenSSH client will do agent or X11 forwarding at the request of a
server, even if the user has not requested that it be done. A
malicious server can exploit this vulnerability to gain access to the
user's display.
ftp://updates.redhat.com/7.0/i386/openssh-2.3.0p1-4.i386.rpm
MD5 Checksum: 973c033bd3cf3e3641f7fb9d172baf5a
ftp://updates.redhat.com/7.0/i386/openssh-clients-2.3.0p1-4.i386.rpm
MD5 Checksum: 51fe082e6830e461a900000e2884cb14
ftp://updates.redhat.com/7.0/i386/openssh-server-2.3.0p1-4.i386.rpm
MD5 Checksum: dd9bb3271403162202599d3cd8b9a22e
ftp://updates.redhat.com/7.0/i386/openssh-askpass-2.3.0p1-4.i386.rpm
MD5 Checksum: ead1cc84519f5a6fa0233ce8d3237457
ftp://updates.redhat.com/7.0/i386/openssh-askpass-gnome-2.3.0p1-4.i386.rpm
MD5 Checksum: d426ff6c55181f8ccbea6e2f7a307b99
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-907.html
* Redhat: 'ghostscript' vulnerability
November 22nd, 2000
ghostscript makes use of mktemp to create temp files, which is an
insecure and predictable apporoach, it is now patched to use mkstemp,
which avoid the race condition on the name. It also uses improper
LD_RUN_PATH values, causing ghostscript to search for libraries to
load in current directorys.
ftp://updates.redhat.com/6.2/i386/ghostscript-5.50-8_6.x.i386.rpm
MD5 Checksum: e11e7ec51f8e6051e50c5a93738f49ed
ftp://updates.redhat.com/6.2/i386/ghostscript-5.50-8_6.x.i386.rpm
MD5 Checksum: 0d5f4448d5245721b1e2762f360791f2
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-909.html
* RedHat: 'modutils' vulnerability
November 22nd, 2000
The previous packages of modutils released to address a local root
compromise contained an error in new safe guards that caused them to
not properly be enabled when run as root from the kmod process. These
new safe guards check the arguments passed to modules. The new 2.3.21
modutils package fixes this error and correctly checks the arguments
when running from kmod, limiting kernel module arguments to those
specified in /etc/conf.modules (on Red Hat Linux 6.2) or
/etc/modules.conf (on Red Hat Linux 7). This release supersedes the
previous modutils errata packages.
Red Hat Linux 6.2:alpha:
ftp://updates.redhat.com/6.2/alpha/modutils-2.3.21-0.6.2.alpha.rpm
sparc:
ftp://updates.redhat.com/6.2/sparc/modutils-2.3.21-0.6.2.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/modutils-2.3.21-0.6.2.i386.rpm
Red Hat Linux 7.0:i386:
ftp://updates.redhat.com/7.0/i386/modutils-2.3.21-1.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-912.html
* Redhat: 'joe' update
November 20th, 2000
When exiting joe in a nonstandard way (such as a system crash,
closing an xterm, or a network connection going down), joe will
nconditionally append its open buffers to the file "DEADJOE". This
could be exploited by the creation of DEADJOE symlinks in directories
where root would normally use joe. In this way, joe could be used to
append garbage to potentially-sensitive files, resulting in a denial
of service.
Red Hat Linux 7.0 i386:
ftp://updates.redhat.com/7.0/i386/joe-2.8-43.i386.rpm
MD5 Checksum: 1578b0e184b76b23d2a30b101f1665d4
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-891.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request () linuxsecurity com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, Nov 24th 2000 vuln-newsletter-admins (Nov 25)