Information Security News mailing list archives
Linux Advisory Watch, Oct 20th 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 20 Oct 2000 13:04:17 -0400
+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| October 20th, 2000 Volume 1, Number 25a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave () linuxsecurity com ben () linuxsecurity com
This week, advisories were released for gnupg, php, traceroute, curl,
fingerd, xpdf, LPRnf, muh, apache, cfengine, ping, ypbind/client, and
gnorpm. The vendors include Caldera, Conectiva, Debian, FreeBSD,
Mandrake, Red Hat, Slackware, SuSE, and TurboLinux. It is critical
that you update all vulnerable packages to reduce the risk of
being compromised.
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
-- OpenDoc Publishing --
Our sponsor this week is OpenDoc Publishing. Their 480-page
comprehensive security book, Securing and Optimizing Linux, takes a
hands-on approach to installing, optimizing, configuring, and
securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL,
ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat
6.2 PowerTools edition.
http://www.linuxsecurity.com/sponsors/opendocs.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| Caldera Advisories | ----------------------------//
+---------------------------------+
* Caldera: 'gnupg' vulnerability
October 19th, 2000
There is a bug in the signature verification of GNUpg, the GNU
replacement for PGP. Normally, signature verification with gnupg
works as expected; gnupg properly detects when digitally signed data
has been tampered with. These checks do not work properly if there
are several sections with inline signatures within a single file. In
this case, GNUpg does not always detect when some of the signed
portions have been modified, and incorrectly claims that all
signatures are valid.
Package Name: gnupg-1.0.4-2.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
MD5 Checksum: 3892693d729a46acc587dcece5a59f7c
http://www.linuxsecurity.com/advisories/caldera_advisory-816.html
* Caldera: 'php' update
October 13th, 2000
There's a format bug in the logging code of the mod_php3 module. It
uses apache's aplog_error function, passing user-specified input as
the format string. This can be exploited by a remote attacker to
execute arbitrary shell commands under the HTTP server account (user
httpd).
Package Name: mod_php3-3.0.17-1D.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
MD5 Checksum: 1821696bfa5b169c97760796f732b6d3
http://www.linuxsecurity.com/advisories/caldera_advisory-805.html
+---------------------------------+
| Conectiva Advisories | ----------------------------//
+---------------------------------+
* Conectiva: 'mod_php3' supplement
October 13th, 2000
Conectiva Linux 5.1 *is* also vulnerable to the mod_php3 problem
reported in that advisory. Due to an operational error, it was not
listed in that email, even though the fixed packages were already in
our ftp area for that specific distro.
Packages availble in vendor advisory.
http://www.linuxsecurity.com/advisories/other_advisory-798.html
+---------------------------------+
| Debian Advisories | ----------------------------//
+---------------------------------+
* Debian: Updated 'php3' packages
October 15th, 2000
ypbind is used to request information from a nis server which is then
used by the local machine. The logging code in ypbind was vulnerable
to a printf formating attack which can be exploited by passing ypbind
a carefully crafted request. This way ypbind can be made to run
arbitrary code as root.
Alpha architecture: nis_3.8-0.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/
MD5 checksum: 1e361e5a9671c02eafdddeee4071f2cb
ARM architecture: nis_3.8-0.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/
MD5 checksum: a1ba8db1065c56a1d18c063f6a69218b
Intel ia32 architecture: nis_3.8-0.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/
MD5 checksum: b1a4588f81c0fda4815172d5a2bee134
PowerPC architecture: nis_3.8-0.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/
MD5 checksum: 5ac411b1d68da664649c1828962ee985
Sun Sparc architecture: nis_3.8-0.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/
MD5 checksum: 063c6e424da6ad714a3be5e85be034b9
http://www.linuxsecurity.com/advisories/caldera_advisory-807.html
* Debian: Updated 'php4' packages
October 15th, 2000
In versions of the PHP 4 packages before version 4.0.3, several
format string bugs could allow properly crafted requests to execute
code as the user running PHP scripts on the web server.
Packages available in vendor advisory.
http://www.linuxsecurity.com/advisories/debian_advisory-806.html
* Debian: 'traceroute' update
October 13th, 2000
In versions of the traceroute package before 1.4a5-3, it is possible
for a local user to gain root access by exploiting an argument
parsing error.
Alpha architecture: traceroute_1.4a5-3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/
MD5 checksum: 6b3f20ecb08276c15715ae54ef8be0c7
ARM architecture: traceroute_1.4a5-3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/
MD5 checksum: 3e92eb865b388769da00a5cb3297a862
Intel ia32 architecture:traceroute_1.4a5-3_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/
MD5 checksum: feba02e20848bdfafa6bf7dd9c594eba
Motorola 680x0 architecture: traceroute_1.4a5-3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/
MD5 checksum: fdc5a6ed3cd97067c4b7e1ddf7945287
PowerPC architecture:traceroute_1.4a5-3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/
MD5 checksum: 3cb1524fccc1eb0e011ec17d2d2a1407
Sun Sparc architecture:traceroute_1.4a5-3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/
MD5 checksum: a9f078c807e52ab1a68bdeba0d364be1
http://www.linuxsecurity.com/advisories/debian_advisory-796.html
* Debian: 'curl' and 'curl-ssl' updates
October 13th, 2000
The version of curl as distributed with Debian GNU/Linux 2.2 had a
bug in the error logging code: when it created an error message it
failed to check the size of the buffer allocated for storing the
message. This could be exploited by the remote machine by returning
an invalid response to a request from curl which overflows the error
buffer and trick curl into executing arbitrary code.
Packages available in vendor advisories.
http://www.linuxsecurity.com/advisories/debian_advisory-804.html
+---------------------------------+
| FreeBSD Advisories | ----------------------------//
+---------------------------------+
* FreeBSD: 'fingerd' vulnerability
October 13th, 2000
Remote users can obtain read access (as the 'nobody' user) to large
parts of the local filesystem on systems running a vulnerable
fingerd. This may disclose confidential information and may
facilitate further attacks on the system.
Vendor Patach:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch
http://www.linuxsecurity.com/advisories/freebsd_advisory-799.html
* FreeBSD: 'xpdf' ports vulnerability
October 13th, 2000
Local users, using a symlink attack, can cause arbitrary files owned
by the user running xpdf to be overwritten. Also, malicious PDFs can
cause arbitrary code to be executed.
Package Name: xpdf-0.91.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/graphics/
http://www.linuxsecurity.com/advisories/freebsd_advisory-800.html
* FreeBSD: 'LPRng' ports vulnerability
October 13th, 2000
Local and remote users may potentially gain root privileges on
systems using LPRng. If you have not chosen to install the LPRng
port/package, then your system is not vulnerable to this problem.
Package Name: LPRng-3.6.25.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/sysutils/
http://www.linuxsecurity.com/advisories/freebsd_advisory-801.html
* FreeBSD: 'muh' ports vulnerability
October 13th, 2000
Remote IRC users can cause arbitrary code to be executed as the user
running muh. If you have not chosen to install the muh port/package,
then your system is not vulnerable to this problem.
Package Name: muh-2.05c.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/
http://www.linuxsecurity.com/advisories/freebsd_advisory-802.html
+---------------------------------+
| Mandrake Advisories | ----------------------------//
+---------------------------------+
* Mandrake: 'apache' update
October 19th, 2000
The Apache web server comes with a module called mod_rewrite which is
used to rewrite URLs presented by the client prior to further
processing. There is a flaw in the mod_rewrite logic that allows an
attacker to view arbitrary files on the server system if they contain
regular expression references. All Linux-Mandrake users using Apache
are encouraged to upgrade to these updated versions that fix this
flaw.
Package Name: apache-1.3.6-29mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/
MD5 Checksum: 77fa37ac213493d94f5817f93710cbb8
Package Name: apache-devel-1.3.6-29mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/
MD5 Cecksum: 8c51afd87ab8be5b08bc2d02fdc37298
Package Name: apache-1.3.9-8mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/
MD5 Checksum: 890f342e3d33a73978b9ec60d53f3c54
Package Name: apache-devel-1.3.9-8mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/
MD5 Checksum: 4308ebc3b5c496b74173d0af0cb43de9
Package Name: apache-1.3.9-18mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/
MD5 Checksum: 094ae1b8764bd6c71519fe051b735e21
Package Name: apache-devel-1.3.9-18mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/
MD5 Checksum: dc298d04f25fe4f5a895e898606b8551
Package Name: apache-suexec-1.3.9-18mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/
MD5 Checksum: 7fe54f76cf8f5b46d35ba44944783811
Package Name: apache-1.3.12-15mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
MD5 Checksum: 6733773bb495b2095eae6670dc40c1a8
Package Name: apache-devel-1.3.12-15mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
MD5 Checksum: 6de0327248be26c363bb5bb32a8d7530
Package Name: apache-suexec-1.3.12-15mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
MD5 Checksum: 1bdbee39947ed25e99af77486eadeee0
http://www.linuxsecurity.com/advisories/mandrake_advisory-815.html
* Mandrake: 'cfengine' vulnerability
October 13th, 2000
The GNU cfengine is an abstract programming language for system
administrators of large heterogeneous networks, used for maintenance
and administration. There are a number of string format
vulnerabilities in syslog() calls that can be abused to either make
the cfengine program segfault and die or to execute arbitrary
commands as the user the cfengine program runs as (usually root). The
problems are fixed in this update and all Linux-Mandrake users are
encouraged to upgrade.
Package Name: cfengine-1.5.4-5mdk.i586.rpm
ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
MD5 Checksum: 17bec62b5b573d91e2558fe06dae91f2
http://www.linuxsecurity.com/advisories/mandrake_advisory-794.html
* Mandrake: 'mod_php3' vulnerability
October 13th, 2000
PHP version 3 which ships with Linux-Mandrake are vulnerable to
format string attacks due to logging functions that make improper use
of the syslog() and vsnprintf() functions. This renders PHP3-enabled
servers vulnerable to compromise by remote attackers. This attack is
only effective on PHP installations that log errors and warnings
while those servers that do not are not affected. By default,
Linux-Mandrake systems do not have logging enabled.
Package available in vendor advisory.
http://www.linuxsecurity.com/advisories/mandrake_advisory-795.html
+---------------------------------+
| Red Hat Advisories | ----------------------------//
+---------------------------------+
* Redhat: 'ping' update
October 18th, 2000
Several problems in ping are fixed: 1. Root privileges are dropped
after acquiring a raw socket. 2. An 8 byte overflow of a static
buffer "outpack" is prevented. 3. An overflow of a static buffer
"buf" is prevented. alpha
Package Name: iputils-20001010-1.6x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/
MD5 Checksum: 6904ba7f8502fb009002cd96645f0539
sparc Package Name: iputils-20001010-1.6x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/
MD5 Checksum: 11c046097bfb8c3fa62635aa531edfeb
i386 Package Name: iputils-20001010-1.6x.i386.rpm
ftp://updates.redhat.com/6.2/i386/
MD5 Checksum: ce5de156e02e5e8e010a344e8c0cdc34
Red Hat Linux 7.0: i386
Package Name: iputils-20001010-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/
MD5 Checksum: 1973d87e9f0b685991ab4ffba1a7d257
http://www.linuxsecurity.com/advisories/redhat_advisory-813.html
+---------------------------------+
| Slackware Advisories | ----------------------------//
+---------------------------------+
* Slackware: 'apache' update
October 17th, 2000
Several security problems have been found in the Apache web server
software. It is recommended that all users of Apache upgrade to the
latest stable release to fix these problems.
Package Name: apache.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/
MD5 Checksum: 42cabff64514457bf9e81e55decda9fe
http://www.linuxsecurity.com/advisories/slackware_advisory-811.html
+---------------------------------+
| SuSE Advisories | ----------------------------//
+---------------------------------+
* SuSE: 'ypbind/ypclient' vulnerability
October 18th, 2000
Security problems have been found in the client code of the NIS
(Network Information System, aka yp - yellow pages) subsytem. SuSE
distributions before SuSE-6.1 came with the original ypbind program,
SuSE-6.2 and later included the ypbind-mt NIS client implementation.
ypbind-3.3 (the earlier version) has a format string parsing bug if
it is run in debug mode, and leaks file descriptors under certain
circumstances which can lead to a DoS. In addition, ypbind-3.3 may
suffer from buffer overflows.
SuSE-7.0 Package Name: ypclient-3.5-89.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/
MD5 Checksum: 76e4e7f60791db16c5e36fb5dbf60b65
SuSE-6.4 Package Name: ypclient-3.4-95.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/
MD5 Checksum: e485ea27264fb9c4f890cdf7605ffa30
Sparc Platform: SuSE-7.0 Package
Name: ypclient-3.5-89.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/
MD5 Checksum: 1a38d25c8647f010e2a9879f28de4adf
AXP Alpha Platform: SuSE-6.4
Package Name: ypclient-3.4-95.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/
MD5 Checksum: 6aea95ca27245eb3df72da7596af3321
SuSE-6.3 Package Name: ypclient-3.4-95.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/
MD5 Checksum: b68f8690b7dc554ac9098c83f9c633cd
PPC Power PC Platform: SuSE-6.4
Package Name: ypclient-3.4-95.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/
MD5 Checksum: 26080b1443a3daa1de64c876ae36e6f2
http://www.linuxsecurity.com/advisories/suse_advisory-814.html
* SuSE: 'traceroute' vulnerability
October 16th, 2000
The security problem in the traceroute program as shipped with SuSE
Linux distributions is completely different from the one reported on
security mailing lists a few days ago (`traceroute -g 1 -g 1') by
Pekka Savola. SuSE distributions do not contain this particular
traceroute implementation.
i386 Intel Platform: SuSE-7.0
Package Name: nkitb-2000.10.4-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/
MD5 Checksum: 6c8f713a071a96c287942f880cd5919c
SuSE-6.4 Package Name: nkitb-2000.7.11-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/
MD5 Checksum: 118075b7fc295be86b3659bf9b3fa778
SuSE-6.3 Package Name: nkita-2000.10.4-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/
MD5 Checksum: 6c5932e4083de6f499e4c77fcadbffc1
SuSE-6.2 Package Name: nkita-2000.10.4-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/
MD5 Checksum: 49269283c6d39a234f61303b2e918413
SuSE-6.1 Package Name: nkita-2000.10.4-0.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/
MD5 Checksum: 2fe1c6d70fcf1272da95f33ad7ad1010
Sparc Platform:
SuSE-7.0 Package Name: nkitb-2000.10.4-0.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/
MD5 Checksum: e9bc3512b6182f540e74308c02d81f65
AXP Alpha Platform:
SuSE-6.4 Package Name: nkitb-2000.10.4-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/
MD5 Checksum: 7850969c7b3beaf3fd1ce8b2a9246be0
SuSE-6.3 Package Name: nkita-2000.10.4-0.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/
MD5 Checksum: 6440a6a7da903829cff57a5f8c7cda91
PPC Power PC Platform:
SuSE-7.0 Package Name: nkitb-2000.10.5-0.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/a1/
MD5 Checksum: 407d1c6731228f5d3e9addd108d31224
SuSE-6.4 Package Name: nkitb-2000.10.4-0.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/
MD5 Checksum: c432a5b8d37640be6e325ef9603f9cba
http://www.linuxsecurity.com/advisories/suse_advisory-810.html
* SuSE: 'gnorpm' update
October 16th, 2000
Insecure temporary file handling may cause the gnorpm package to
overwrite arbitrary files on the system. As a workaround solution it
is recommended to make sure that no active user processes on the
system while performing software updates with gnorpm. This can be
accomplished by bringing the linux system down to runlevel
1(multi-user without network) and starting the network by hand
(rci4l_hardware start; rci4l start;rcnetwork start; rcroute start).
i386 Intel Platform:
SuSE-7.0 Package Name: gnorpm-0.95-3.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/gnm3/
MD5 Checksum:6aa5ea031f48d903bf3fb4e2328fc4c7
SuSE-6.4 Package Name:gnorpm-0.95-3.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/gnm3/
MD5 Checksum: 2f47a772c634c35d989078287668e67d
Sparc Platform:
SuSE-7.0 Package Name:gnorpm-0.9-159.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/gnm3/
MD5 Checksum: 467a2839f7df52c31eb42b97ebb8dd0d
AXP Alpha Platform:
SuSE-6.4 Package Name:gnorpm-0.95-4.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/gnm3/
MD5 Checksum: b99a121e1469f958413b26eef1fd7ce9
PPC Power PC Platform:
SuSE-6.4 Package Name: gnorpm-0.95-3.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/gnm3/
MD5 Checksum: 9ad07eb2c2c437ed427d8ec5cb2b8439
http://www.linuxsecurity.com/advisories/suse_advisory-809.html
+---------------------------------+
| TurboLinux Advisories | ----------------------------//
+---------------------------------+
* TurboLinux: 'traceroute' vulnerability
October 17th, 2000
There is a bug in the traceroute command that can possibly be use by
local users to obtain super user privilege. It is suggested to
upgrade your traceroute to the version provided.
Package Name: traceroute-1.4a7-2.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/
MD5 Checksum: 1cf930da2a35d76ed3a9f76040a8a925
http://www.linuxsecurity.com/advisories/turbolinux_advisory-812.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request () linuxsecurity com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, Oct 20th 2000 vuln-newsletter-admins (Oct 20)