Information Security News mailing list archives
Linux Advisory Watch, Nov 3rd 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 3 Nov 2000 01:05:53 -0500
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | November 3rd, 2000 Volume 1, Number 27a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com This week, advisories were released for gnupg, ypbind, getnameinfo, top, tcpdump, boa, pine, chpass, cfengine, libutil, nis, dump, nss_ldap, and incurses. The vendors include, Conectiva, Caldera, FreeBSD, NetBDS, Red Hat, SuSE, and Trustix. It is critical that you update all vulnerable packages to reduce the risk of being compromised. FreeBSD and NetBSD released a combined total of 10 advisories. Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. -- OpenDoc Publishing -- Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html HTML Version: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Caldera Advisories | ----------------------------// +---------------------------------+ * Caldera: 'ypbind' vulnerability October 27th, 2000 There are several security problems in ypbind, the daemon used by NIS clients for binding to their NIS server(s). First, there is a potential buffer overflow; it is not clear whether it is possible to exploit it at all. Second, there is a denial of service attack against ypbind that can make it run out of file descriptors. Package Name: nis-client-2.0-12.i386.rpm ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ MD5 Checksum: 475f1173b39d61be3bfefb616adc7d70 Package Name: nis-server-2.0-12.i386.rpm ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ MD5 Checksum: 2b843e611fa135fec1d1ab3eec32eafe Vendor Advisory: -> http://www.linuxsecurity.com/advisories/caldera_advisory-839.html +---------------------------------+ | Conectiva Advisories | ----------------------------// +---------------------------------+ * Conectiva: 'gnupg' vulnerability October 30th, 2000 gnupg up to and including version 1.0.3 has a flaw in the signature checking code. This code does not work properly when there are multiple signatures within the file. Gnupg can incorrectly report some signatures to be valid even if that portion of the file has been tampered with. Package Name: gnupg-1.0.4-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/ MD5 Checksum: None Given Vendor Advisory: -> http://www.linuxsecurity.com/advisories/other_advisory-841.html +---------------------------------+ | FreeBSD Advisories | ----------------------------// +---------------------------------+ * FreeBSD: 'tcpdump' vulnerability October 30th, 2000 Remote users can cause the local tcpdump process to crash, and (under FreeBSD 4.0-RELEASE, 4.1-RELEASE, 4.1.1-RELEASE and 4.1.1-STABLE prior to the correction date) may be able to cause arbitrary code to be executed as the user running tcpdump, usually root. Patch: top.patch.asc ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:62/ Vendor Advisory: -> http://www.linuxsecurity.com/advisories/freebsd_advisory-847.html * FreeBSD: 'getnameinfo' vulnerability November 1st, 2000 An off-by-one error exists in the processing of DNS hostnames which allows a long DNS hostname to crash the getnameinfo() function when an address resolution of the hostname is performed (e.g. in response to a connection to a service which makes use of getnameinfo()). Patch: getnameinfo.patch.asc ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:63/ Vendor Patch: -> http://www.linuxsecurity.com/advisories/freebsd_advisory-848.html * FreeBSD: 'top' vulnerability November 1st, 2000 Local users can read privileged data from kernel memory which may provide information allowing them to further increase their local or remote system access privileges. Patch: top.patch.asc ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:62/ Vendor Advisory: -> http://www.linuxsecurity.com/advisories/freebsd_advisory-847.html * FreeBSD: 'pine' vulnerability October 30th, 2000 The pine4 port, versions 4.21 and before, contains a buffer overflow vulnerability which allows a remote user to execute arbitrary code on the local client by the sending of a special-crafted email message. The overflow occurs during the periodic "new mail" checking of an open folder. Package: pine-4.21_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/ Vendor Advisory: -> http://www.linuxsecurity.com/advisories/freebsd_advisory-844.html * FreeBSD: 'boa' vulnerability October 30th, 2000 Remote users may view any file on the system that is accessible by the webserver account. In addition, the webserver account may be compromised due to the execution of arbitrary files outside thedocument root. Package Name: boa-0.94.8.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/ Vendor Advisory: -> http://www.linuxsecurity.com/advisories/freebsd_advisory-845.html * FreeBSD: 'chpass' vulnerability October 30th, 2000 A "format string vulnerability" was discovered in code used by the vipw utility during an internal FreeBSD code audit in July 2000. The vipw utility does not run with increased privileges and so it was believed at the time that it did not represent a security vulnerability. However it was not realised that this code is also shared with other utilities -- namely chfn, chpass, chsh, ypchfn, ypchpass, ypchsh and passwd -- which do in fact run setuid root. Patch: vipw.patch.asc ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:58/ Vendor Advisory: -> http://www.linuxsecurity.com/advisories/freebsd_advisory-843.html +---------------------------------+ | NetBSD Advisories | ----------------------------// +---------------------------------+ * NetBSD: 'cfengine' vulnerability October 27th, 2000 The cfd daemon in GNU CFEngine contains several format string vulnerabilities in syslog() calls. This could permit remote hosts to inject the network daemon with a message causing a segmentation fault. As cfd is almost always run as root due to its nature (centralized configuration management), this could lead to a root compromise. http://www.linuxsecurity.com/advisories/netbsd_advisory-835.html * NetBSD: 'Global-3.55' vulnerability October 27th, 2000 The exploit of this is possible due to insufficient handling of quoted or escaped characters in this version, and command line arguments that are then handed off to shell commands. SEE VENDOR ADVISORY FOR UPDATE INFORMATION Vendor Advisory: -> http://www.linuxsecurity.com/advisories/netbsd_advisory-835.html * NetBSD: 'libutil' vulnerabilities October 27th, 2000 pw_error passed its first argument to the warn(3) function, which interprets its first argument as a format string. in certain circumstances, passwd(1) passes a value derived from untrusted user input to pw_error(). SEE VENDOR ADVISORY FOR UPDATE INFORMATION Vendor Advisory: -> http://www.linuxsecurity.com/advisories/caldera_advisory-837.html * NetBSD: "NIS" buffer overflow October 27th, 2000 NIS client nodes may be vulnerable to a remote buffer overflow attack. If the node is configured to use NIS for hostname lookups, and a rogue NIS server is in a position to respond to a hostname lookup request, a malformed response could cause a denial of service due to abnormal program termination. In the worst case, an account could be hijacked. Upgrade Package: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000808-nis Vendor Advisory: -> http://www.linuxsecurity.com/advisories/netbsd_advisory-834.html +---------------------------------+ | Red Hat Advisories | ----------------------------// +---------------------------------+ * Redhat: 'dump' update November 2nd, 2000 The Red Hat 7.0 dump is being released for Red Hat 6.x and Red Hat 5.x in order to remove root setuid bits to prevent a known dumpexploit (#20111). The new dump packages also include a fix for a buffer overflow (#9899) PLEASE SEE ADVISORY FOR UPDATE INFORMATION Vendor Advisory: -> http://www.linuxsecurity.com/advisories/redhat_advisory-849.html * Redhat; 'nss_ldap' race condition October 27th, 2000 A race condition has been found in the nss_ldap package. On a system running nscd, a malicious user can cause the system to hang. * Red Hat Linux 6.1: alpha: ftp://updates.redhat.com/6.1/alpha/nss_ldap-122-1.6.alpha.rpm MD5 Checksum: 08d8e980347fe7d81e29e1ca27e7cb09 sparc: ftp://updates.redhat.com/6.1/sparc/nss_ldap-122-1.6.sparc.rpm MD5 Checksum: f12cc2e7f9ab1c5faed9c647bfcbab03 i386: ftp://updates.redhat.com/6.1/i386/nss_ldap-122-1.6.i386.rpm MD5 Checksum: 4d47831ae8516106392e74f5e1f2fd02 * Red Hat Linux 6.2: alpha: ftp://updates.redhat.com/6.2/alpha/nss_ldap-122-1.6.alpha.rpm MD5 Checksum: 08d8e980347fe7d81e29e1ca27e7cb09 sparc: ftp://updates.redhat.com/6.2/sparc/nss_ldap-122-1.6.sparc.rpm MD5 Checksum: f12cc2e7f9ab1c5faed9c647bfcbab03 i386: ftp://updates.redhat.com/6.2/i386/nss_ldap-122-1.6.i386.rpm MD5 Checksum: 4d47831ae8516106392e74f5e1f2fd02 * Red Hat Linux 7.0: i386: ftp://updates.redhat.com/7.0/i386/nss_ldap-122-1.7.i386.rpm MD5 Checksum: 95337178e79472118cf33b0584462679 Vendor Advisory: -> http://www.linuxsecurity.com/advisories/redhat_advisory-840.html +---------------------------------+ | SuSE Advisories | ----------------------------// +---------------------------------+ * SuSE: 'ncurses' vulnerability October 27th, 2000 Insufficient boundary checking leads to a buffer overflow if a user supplies a specially drafted terminfo database file. If an ncurses-linked binary is installed setuid root, it is possible for a local attacker to exploit this hole and gain elevated privileges. Package Name: perms-ncurses.sh ftp://ftp.suse.com/pub/suse/noarch/perms-ncurses.sh MD5 Checksum: abe22607d45ecdb710f6061d5bbd3d13 Vendor Advisory: -> http://www.linuxsecurity.com/advisories/suse_advisory-838.html +---------------------------------+ | Trustix Advisories | ----------------------------// +---------------------------------+ * Trustix: various updates October 30th, 2000 iputils: Fixes serveral problems in ping including a buffer overflow. gnupg: Fixed a serious bug which could lead to false signature verification results when more than one signature is fed to gpg.ypbind: Local root exploit. Users of TSL 1.0x and 1.1 that worry about local security should definitely upgrade. Package Name: gnupg-1.0.4-2tr.i586.rpm ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ MD5 Checksum: 9e2bbf3ddd728da4cbab3ece1ba390b7 Package Name: iputils-20001011-1tr.i586.rpm ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ MD5 Checksum: 43d503eb306f202c794ca064980574ad Package Name: ypbind-3.3-29tr.i586.rpm ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/ MD5 Checksum: 8625657f6edea52b88e0cff1dfff4bb4 Vendor Advisory: -> http://www.linuxsecurity.com/advisories/other_advisory-842.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, Nov 3rd 2000 vuln-newsletter-admins (Nov 06)