Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Linux Advisory Watch, Nov 3rd 2000

From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 3 Nov 2000 01:05:53 -0500
+----------------------------------------------------------------+
|  LinuxSecurity.com                      Linux  Advisory Watch  |
|  November 3rd, 2000                      Volume 1, Number 27a  |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                  Benjamin Thomas
               dave () linuxsecurity com       ben () linuxsecurity com


This week, advisories were released for gnupg, ypbind, getnameinfo,
top, tcpdump, boa, pine, chpass, cfengine, libutil, nis, dump,
nss_ldap, and incurses.  The vendors include, Conectiva, Caldera,
FreeBSD, NetBDS, Red Hat, SuSE, and Trustix.  It is critical that
you update all vulnerable packages to reduce the risk of being
compromised.  FreeBSD and NetBSD released a combined total of
10 advisories.

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

-- OpenDoc Publishing --

Our sponsor this week is OpenDoc Publishing.  Their 480-page
comprehensive security book, Securing and Optimizing Linux, takes a
hands-on approach to installing, optimizing, configuring, and
securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL,
ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat
6.2 PowerTools edition.

http://www.linuxsecurity.com/sponsors/opendocs.html

HTML Version:
http://www.linuxsecurity.com/vuln-newsletter.html

+---------------------------------+
|   Installing a new package:     | ------------------------------//
+---------------------------------+

   # rpm  -Uvh
   # dpkg -i

Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager).  Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.

+---------------------------------+
|   Checking Package Integrity:   | -----------------------------//
+---------------------------------+

The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied.  It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.

  # md5sum
    ebf0d4a0d236453f63a797ea20f0758b

The string of numbers can then be compared against the MD5 checksum
published by the packager.  While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing


+---------------------------------+
|       Caldera Advisories        | ----------------------------//
+---------------------------------+

* Caldera:  'ypbind' vulnerability
October 27th, 2000

There are several security problems in ypbind, the daemon used by NIS
clients for binding to their NIS server(s). First, there is a
potential buffer overflow; it is not clear whether it is possible to
exploit it at all. Second, there is a denial of service attack
against ypbind that can make it run out of file descriptors.

  Package Name:  nis-client-2.0-12.i386.rpm
  ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
  MD5 Checksum:  475f1173b39d61be3bfefb616adc7d70

  Package Name:  nis-server-2.0-12.i386.rpm
  ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
  MD5 Checksum:  2b843e611fa135fec1d1ab3eec32eafe

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/caldera_advisory-839.html



+---------------------------------+
|       Conectiva Advisories      | ----------------------------//
+---------------------------------+

* Conectiva:  'gnupg' vulnerability
October 30th, 2000

gnupg up to and including version 1.0.3 has a flaw in the signature
checking code. This code does not work properly when there are
multiple signatures within the file. Gnupg can incorrectly report
some signatures to be valid even if that portion of the file has been
tampered with.

  Package Name:   gnupg-1.0.4-1cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/5.1/i386/
  MD5 Checksum:  None Given

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/other_advisory-841.html



+---------------------------------+
|        FreeBSD Advisories       | ----------------------------//
+---------------------------------+


* FreeBSD:  'tcpdump' vulnerability
October 30th, 2000

Remote users can cause the local tcpdump process to crash, and (under
FreeBSD 4.0-RELEASE, 4.1-RELEASE, 4.1.1-RELEASE and 4.1.1-STABLE
prior to the correction date) may be able to cause arbitrary code to
be executed as the user running tcpdump, usually root.

  Patch: top.patch.asc
  ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:62/

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/freebsd_advisory-847.html



* FreeBSD:  'getnameinfo' vulnerability
November 1st, 2000

An off-by-one error exists in the processing of DNS hostnames which
allows a long DNS hostname to crash the getnameinfo() function when
an address resolution of the hostname is performed (e.g. in response
to a connection to a service which makes use of getnameinfo()).

  Patch:  getnameinfo.patch.asc
  ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:63/

     Vendor Patch:
  -> http://www.linuxsecurity.com/advisories/freebsd_advisory-848.html



* FreeBSD:  'top' vulnerability
November 1st, 2000

Local users can read privileged data from kernel memory which may
provide information allowing them to further increase their local or
remote system access privileges.

  Patch: top.patch.asc
  ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:62/

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/freebsd_advisory-847.html



* FreeBSD:  'pine' vulnerability
October 30th, 2000

The pine4 port, versions 4.21 and before, contains a buffer overflow
vulnerability which allows a remote user to execute arbitrary code on
the local client by the sending of a special-crafted email message.
The overflow occurs during the periodic "new mail" checking of an
open folder.

  Package: pine-4.21_1.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/freebsd_advisory-844.html



* FreeBSD:  'boa' vulnerability
October 30th, 2000

Remote users may view any file on the system that is accessible by
the webserver account. In addition, the webserver account may be
compromised due to the execution of arbitrary files outside
thedocument root.

  Package Name:  boa-0.94.8.3.tgz
  ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/freebsd_advisory-845.html




* FreeBSD:  'chpass' vulnerability
October 30th, 2000

A "format string vulnerability" was discovered in code used by the
vipw utility during an internal FreeBSD code audit in July 2000. The
vipw utility does not run with increased privileges and so it was
believed at the time that it did not represent a security
vulnerability. However it was not realised that this code is also
shared with other utilities -- namely chfn, chpass, chsh, ypchfn,
ypchpass, ypchsh and passwd -- which do in fact run setuid root.

  Patch: vipw.patch.asc
  ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:58/

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/freebsd_advisory-843.html



+---------------------------------+
|         NetBSD Advisories       | ----------------------------//
+---------------------------------+


* NetBSD:  'cfengine' vulnerability
October 27th, 2000

The cfd daemon in GNU CFEngine contains several format string
vulnerabilities in syslog() calls. This could permit remote hosts to
inject the network daemon with a message causing a segmentation
fault. As cfd is almost always run as root due to its nature
(centralized configuration management), this could lead to a root
compromise.

http://www.linuxsecurity.com/advisories/netbsd_advisory-835.html


* NetBSD:  'Global-3.55' vulnerability
October 27th, 2000

The exploit of this is possible due to insufficient handling of
quoted or escaped characters in this version, and command line
arguments that are then handed off to shell commands.

  SEE VENDOR ADVISORY FOR UPDATE INFORMATION

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/netbsd_advisory-835.html



* NetBSD:  'libutil' vulnerabilities
October 27th, 2000

pw_error passed its first argument to the warn(3) function, which
interprets its first argument as a format string. in certain
circumstances, passwd(1) passes a value derived from untrusted user
input to pw_error().

  SEE VENDOR ADVISORY FOR UPDATE INFORMATION

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/caldera_advisory-837.html



* NetBSD:  "NIS" buffer overflow
October 27th, 2000

NIS client nodes may be vulnerable to a remote buffer overflow
attack. If the node is configured to use NIS for hostname lookups,
and a rogue NIS server is in a position to respond to a hostname
lookup request, a malformed response could cause a denial of service
due to abnormal program termination. In the worst case, an account
could be hijacked.

  Upgrade Package:
  ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000808-nis

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/netbsd_advisory-834.html


+---------------------------------+
|        Red Hat Advisories       | ----------------------------//
+---------------------------------+


* Redhat:  'dump' update
November 2nd, 2000

The Red Hat 7.0 dump is being released for Red Hat 6.x and Red Hat
5.x in order to remove root setuid bits to prevent a known
dumpexploit (#20111). The new dump packages also include a fix for a
buffer overflow (#9899)

  PLEASE SEE ADVISORY FOR UPDATE INFORMATION

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/redhat_advisory-849.html


* Redhat;  'nss_ldap' race condition
October 27th, 2000

A race condition has been found in the nss_ldap package. On a system
running nscd, a malicious user can cause the system to hang.

  * Red Hat Linux 6.1:
  alpha:
  ftp://updates.redhat.com/6.1/alpha/nss_ldap-122-1.6.alpha.rpm
  MD5 Checksum:  08d8e980347fe7d81e29e1ca27e7cb09

  sparc:
  ftp://updates.redhat.com/6.1/sparc/nss_ldap-122-1.6.sparc.rpm
  MD5 Checksum:  f12cc2e7f9ab1c5faed9c647bfcbab03

  i386:
  ftp://updates.redhat.com/6.1/i386/nss_ldap-122-1.6.i386.rpm
  MD5 Checksum:  4d47831ae8516106392e74f5e1f2fd02

  * Red Hat Linux 6.2:

  alpha:
  ftp://updates.redhat.com/6.2/alpha/nss_ldap-122-1.6.alpha.rpm
  MD5 Checksum:  08d8e980347fe7d81e29e1ca27e7cb09

  sparc:
  ftp://updates.redhat.com/6.2/sparc/nss_ldap-122-1.6.sparc.rpm
  MD5 Checksum:  f12cc2e7f9ab1c5faed9c647bfcbab03

  i386:
  ftp://updates.redhat.com/6.2/i386/nss_ldap-122-1.6.i386.rpm
  MD5 Checksum:  4d47831ae8516106392e74f5e1f2fd02

  * Red Hat Linux 7.0:

  i386:
  ftp://updates.redhat.com/7.0/i386/nss_ldap-122-1.7.i386.rpm
  MD5 Checksum:  95337178e79472118cf33b0584462679

    Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/redhat_advisory-840.html





+---------------------------------+
|         SuSE Advisories         | ----------------------------//
+---------------------------------+


* SuSE:  'ncurses' vulnerability
October 27th, 2000

Insufficient boundary checking leads to a buffer overflow if a user
supplies a specially drafted terminfo database file. If an
ncurses-linked binary is installed setuid root, it is possible for a
local attacker to exploit this hole and gain elevated privileges.

  Package Name:   perms-ncurses.sh
  ftp://ftp.suse.com/pub/suse/noarch/perms-ncurses.sh
  MD5 Checksum:  abe22607d45ecdb710f6061d5bbd3d13

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/suse_advisory-838.html




+---------------------------------+
|       Trustix Advisories        | ----------------------------//
+---------------------------------+


* Trustix:  various updates
October 30th, 2000

iputils: Fixes serveral problems in ping including a buffer overflow.
gnupg: Fixed a serious bug which could lead to false signature
verification results when more than one signature is fed to
gpg.ypbind: Local root exploit. Users of TSL 1.0x and 1.1 that worry
about local security should definitely upgrade.

  Package Name:  gnupg-1.0.4-2tr.i586.rpm
  ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
  MD5 Checksum:  9e2bbf3ddd728da4cbab3ece1ba390b7

  Package Name:  iputils-20001011-1tr.i586.rpm
  ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
  MD5 Checksum:  43d503eb306f202c794ca064980574ad

  Package Name:  ypbind-3.3-29tr.i586.rpm
  ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
  MD5 Checksum:  8625657f6edea52b88e0cff1dfff4bb4

     Vendor Advisory:
  -> http://www.linuxsecurity.com/advisories/other_advisory-842.html


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request () linuxsecurity com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: