Information Security News mailing list archives
Linux Advisory Watch, Oct 20th 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 20 Oct 2000 13:04:17 -0400
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | October 20th, 2000 Volume 1, Number 25a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com This week, advisories were released for gnupg, php, traceroute, curl, fingerd, xpdf, LPRnf, muh, apache, cfengine, ping, ypbind/client, and gnorpm. The vendors include Caldera, Conectiva, Debian, FreeBSD, Mandrake, Red Hat, Slackware, SuSE, and TurboLinux. It is critical that you update all vulnerable packages to reduce the risk of being compromised. Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. -- OpenDoc Publishing -- Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Caldera Advisories | ----------------------------// +---------------------------------+ * Caldera: 'gnupg' vulnerability October 19th, 2000 There is a bug in the signature verification of GNUpg, the GNU replacement for PGP. Normally, signature verification with gnupg works as expected; gnupg properly detects when digitally signed data has been tampered with. These checks do not work properly if there are several sections with inline signatures within a single file. In this case, GNUpg does not always detect when some of the signed portions have been modified, and incorrectly claims that all signatures are valid. Package Name: gnupg-1.0.4-2.i386.rpm ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ MD5 Checksum: 3892693d729a46acc587dcece5a59f7c http://www.linuxsecurity.com/advisories/caldera_advisory-816.html * Caldera: 'php' update October 13th, 2000 There's a format bug in the logging code of the mod_php3 module. It uses apache's aplog_error function, passing user-specified input as the format string. This can be exploited by a remote attacker to execute arbitrary shell commands under the HTTP server account (user httpd). Package Name: mod_php3-3.0.17-1D.i386.rpm ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ MD5 Checksum: 1821696bfa5b169c97760796f732b6d3 http://www.linuxsecurity.com/advisories/caldera_advisory-805.html +---------------------------------+ | Conectiva Advisories | ----------------------------// +---------------------------------+ * Conectiva: 'mod_php3' supplement October 13th, 2000 Conectiva Linux 5.1 *is* also vulnerable to the mod_php3 problem reported in that advisory. Due to an operational error, it was not listed in that email, even though the fixed packages were already in our ftp area for that specific distro. Packages availble in vendor advisory. http://www.linuxsecurity.com/advisories/other_advisory-798.html +---------------------------------+ | Debian Advisories | ----------------------------// +---------------------------------+ * Debian: Updated 'php3' packages October 15th, 2000 ypbind is used to request information from a nis server which is then used by the local machine. The logging code in ypbind was vulnerable to a printf formating attack which can be exploited by passing ypbind a carefully crafted request. This way ypbind can be made to run arbitrary code as root. Alpha architecture: nis_3.8-0.1_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/ MD5 checksum: 1e361e5a9671c02eafdddeee4071f2cb ARM architecture: nis_3.8-0.1_arm.deb http://security.debian.org/dists/stable/updates/main/binary-arm/ MD5 checksum: a1ba8db1065c56a1d18c063f6a69218b Intel ia32 architecture: nis_3.8-0.1_i386.deb http://security.debian.org/dists/stable/updates/main/binary-i386/ MD5 checksum: b1a4588f81c0fda4815172d5a2bee134 PowerPC architecture: nis_3.8-0.1_powerpc.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/ MD5 checksum: 5ac411b1d68da664649c1828962ee985 Sun Sparc architecture: nis_3.8-0.1_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/ MD5 checksum: 063c6e424da6ad714a3be5e85be034b9 http://www.linuxsecurity.com/advisories/caldera_advisory-807.html * Debian: Updated 'php4' packages October 15th, 2000 In versions of the PHP 4 packages before version 4.0.3, several format string bugs could allow properly crafted requests to execute code as the user running PHP scripts on the web server. Packages available in vendor advisory. http://www.linuxsecurity.com/advisories/debian_advisory-806.html * Debian: 'traceroute' update October 13th, 2000 In versions of the traceroute package before 1.4a5-3, it is possible for a local user to gain root access by exploiting an argument parsing error. Alpha architecture: traceroute_1.4a5-3_alpha.deb http://security.debian.org/dists/potato/updates/main/binary-alpha/ MD5 checksum: 6b3f20ecb08276c15715ae54ef8be0c7 ARM architecture: traceroute_1.4a5-3_arm.deb http://security.debian.org/dists/potato/updates/main/binary-arm/ MD5 checksum: 3e92eb865b388769da00a5cb3297a862 Intel ia32 architecture:traceroute_1.4a5-3_i386.deb http://security.debian.org/dists/potato/updates/main/binary-i386/ MD5 checksum: feba02e20848bdfafa6bf7dd9c594eba Motorola 680x0 architecture: traceroute_1.4a5-3_m68k.deb http://security.debian.org/dists/potato/updates/main/binary-m68k/ MD5 checksum: fdc5a6ed3cd97067c4b7e1ddf7945287 PowerPC architecture:traceroute_1.4a5-3_powerpc.deb http://security.debian.org/dists/potato/updates/main/binary-powerpc/ MD5 checksum: 3cb1524fccc1eb0e011ec17d2d2a1407 Sun Sparc architecture:traceroute_1.4a5-3_sparc.deb http://security.debian.org/dists/potato/updates/main/binary-sparc/ MD5 checksum: a9f078c807e52ab1a68bdeba0d364be1 http://www.linuxsecurity.com/advisories/debian_advisory-796.html * Debian: 'curl' and 'curl-ssl' updates October 13th, 2000 The version of curl as distributed with Debian GNU/Linux 2.2 had a bug in the error logging code: when it created an error message it failed to check the size of the buffer allocated for storing the message. This could be exploited by the remote machine by returning an invalid response to a request from curl which overflows the error buffer and trick curl into executing arbitrary code. Packages available in vendor advisories. http://www.linuxsecurity.com/advisories/debian_advisory-804.html +---------------------------------+ | FreeBSD Advisories | ----------------------------// +---------------------------------+ * FreeBSD: 'fingerd' vulnerability October 13th, 2000 Remote users can obtain read access (as the 'nobody' user) to large parts of the local filesystem on systems running a vulnerable fingerd. This may disclose confidential information and may facilitate further attacks on the system. Vendor Patach: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:54/fingerd.patch http://www.linuxsecurity.com/advisories/freebsd_advisory-799.html * FreeBSD: 'xpdf' ports vulnerability October 13th, 2000 Local users, using a symlink attack, can cause arbitrary files owned by the user running xpdf to be overwritten. Also, malicious PDFs can cause arbitrary code to be executed. Package Name: xpdf-0.91.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/graphics/ http://www.linuxsecurity.com/advisories/freebsd_advisory-800.html * FreeBSD: 'LPRng' ports vulnerability October 13th, 2000 Local and remote users may potentially gain root privileges on systems using LPRng. If you have not chosen to install the LPRng port/package, then your system is not vulnerable to this problem. Package Name: LPRng-3.6.25.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/sysutils/ http://www.linuxsecurity.com/advisories/freebsd_advisory-801.html * FreeBSD: 'muh' ports vulnerability October 13th, 2000 Remote IRC users can cause arbitrary code to be executed as the user running muh. If you have not chosen to install the muh port/package, then your system is not vulnerable to this problem. Package Name: muh-2.05c.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/irc/ http://www.linuxsecurity.com/advisories/freebsd_advisory-802.html +---------------------------------+ | Mandrake Advisories | ----------------------------// +---------------------------------+ * Mandrake: 'apache' update October 19th, 2000 The Apache web server comes with a module called mod_rewrite which is used to rewrite URLs presented by the client prior to further processing. There is a flaw in the mod_rewrite logic that allows an attacker to view arbitrary files on the server system if they contain regular expression references. All Linux-Mandrake users using Apache are encouraged to upgrade to these updated versions that fix this flaw. Package Name: apache-1.3.6-29mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/ MD5 Checksum: 77fa37ac213493d94f5817f93710cbb8 Package Name: apache-devel-1.3.6-29mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/ MD5 Cecksum: 8c51afd87ab8be5b08bc2d02fdc37298 Package Name: apache-1.3.9-8mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/ MD5 Checksum: 890f342e3d33a73978b9ec60d53f3c54 Package Name: apache-devel-1.3.9-8mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/ MD5 Checksum: 4308ebc3b5c496b74173d0af0cb43de9 Package Name: apache-1.3.9-18mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 Checksum: 094ae1b8764bd6c71519fe051b735e21 Package Name: apache-devel-1.3.9-18mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 Checksum: dc298d04f25fe4f5a895e898606b8551 Package Name: apache-suexec-1.3.9-18mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ MD5 Checksum: 7fe54f76cf8f5b46d35ba44944783811 Package Name: apache-1.3.12-15mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ MD5 Checksum: 6733773bb495b2095eae6670dc40c1a8 Package Name: apache-devel-1.3.12-15mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ MD5 Checksum: 6de0327248be26c363bb5bb32a8d7530 Package Name: apache-suexec-1.3.12-15mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ MD5 Checksum: 1bdbee39947ed25e99af77486eadeee0 http://www.linuxsecurity.com/advisories/mandrake_advisory-815.html * Mandrake: 'cfengine' vulnerability October 13th, 2000 The GNU cfengine is an abstract programming language for system administrators of large heterogeneous networks, used for maintenance and administration. There are a number of string format vulnerabilities in syslog() calls that can be abused to either make the cfengine program segfault and die or to execute arbitrary commands as the user the cfengine program runs as (usually root). The problems are fixed in this update and all Linux-Mandrake users are encouraged to upgrade. Package Name: cfengine-1.5.4-5mdk.i586.rpm ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ MD5 Checksum: 17bec62b5b573d91e2558fe06dae91f2 http://www.linuxsecurity.com/advisories/mandrake_advisory-794.html * Mandrake: 'mod_php3' vulnerability October 13th, 2000 PHP version 3 which ships with Linux-Mandrake are vulnerable to format string attacks due to logging functions that make improper use of the syslog() and vsnprintf() functions. This renders PHP3-enabled servers vulnerable to compromise by remote attackers. This attack is only effective on PHP installations that log errors and warnings while those servers that do not are not affected. By default, Linux-Mandrake systems do not have logging enabled. Package available in vendor advisory. http://www.linuxsecurity.com/advisories/mandrake_advisory-795.html +---------------------------------+ | Red Hat Advisories | ----------------------------// +---------------------------------+ * Redhat: 'ping' update October 18th, 2000 Several problems in ping are fixed: 1. Root privileges are dropped after acquiring a raw socket. 2. An 8 byte overflow of a static buffer "outpack" is prevented. 3. An overflow of a static buffer "buf" is prevented. alpha Package Name: iputils-20001010-1.6x.alpha.rpm ftp://updates.redhat.com/6.2/alpha/ MD5 Checksum: 6904ba7f8502fb009002cd96645f0539 sparc Package Name: iputils-20001010-1.6x.sparc.rpm ftp://updates.redhat.com/6.2/sparc/ MD5 Checksum: 11c046097bfb8c3fa62635aa531edfeb i386 Package Name: iputils-20001010-1.6x.i386.rpm ftp://updates.redhat.com/6.2/i386/ MD5 Checksum: ce5de156e02e5e8e010a344e8c0cdc34 Red Hat Linux 7.0: i386 Package Name: iputils-20001010-1.i386.rpm ftp://updates.redhat.com/7.0/i386/ MD5 Checksum: 1973d87e9f0b685991ab4ffba1a7d257 http://www.linuxsecurity.com/advisories/redhat_advisory-813.html +---------------------------------+ | Slackware Advisories | ----------------------------// +---------------------------------+ * Slackware: 'apache' update October 17th, 2000 Several security problems have been found in the Apache web server software. It is recommended that all users of Apache upgrade to the latest stable release to fix these problems. Package Name: apache.tgz ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/ MD5 Checksum: 42cabff64514457bf9e81e55decda9fe http://www.linuxsecurity.com/advisories/slackware_advisory-811.html +---------------------------------+ | SuSE Advisories | ----------------------------// +---------------------------------+ * SuSE: 'ypbind/ypclient' vulnerability October 18th, 2000 Security problems have been found in the client code of the NIS (Network Information System, aka yp - yellow pages) subsytem. SuSE distributions before SuSE-6.1 came with the original ypbind program, SuSE-6.2 and later included the ypbind-mt NIS client implementation. ypbind-3.3 (the earlier version) has a format string parsing bug if it is run in debug mode, and leaks file descriptors under certain circumstances which can lead to a DoS. In addition, ypbind-3.3 may suffer from buffer overflows. SuSE-7.0 Package Name: ypclient-3.5-89.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/ MD5 Checksum: 76e4e7f60791db16c5e36fb5dbf60b65 SuSE-6.4 Package Name: ypclient-3.4-95.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/ MD5 Checksum: e485ea27264fb9c4f890cdf7605ffa30 Sparc Platform: SuSE-7.0 Package Name: ypclient-3.5-89.sparc.rpm ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/ MD5 Checksum: 1a38d25c8647f010e2a9879f28de4adf AXP Alpha Platform: SuSE-6.4 Package Name: ypclient-3.4-95.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/ MD5 Checksum: 6aea95ca27245eb3df72da7596af3321 SuSE-6.3 Package Name: ypclient-3.4-95.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/ MD5 Checksum: b68f8690b7dc554ac9098c83f9c633cd PPC Power PC Platform: SuSE-6.4 Package Name: ypclient-3.4-95.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/ MD5 Checksum: 26080b1443a3daa1de64c876ae36e6f2 http://www.linuxsecurity.com/advisories/suse_advisory-814.html * SuSE: 'traceroute' vulnerability October 16th, 2000 The security problem in the traceroute program as shipped with SuSE Linux distributions is completely different from the one reported on security mailing lists a few days ago (`traceroute -g 1 -g 1') by Pekka Savola. SuSE distributions do not contain this particular traceroute implementation. i386 Intel Platform: SuSE-7.0 Package Name: nkitb-2000.10.4-0.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.0/a1/ MD5 Checksum: 6c8f713a071a96c287942f880cd5919c SuSE-6.4 Package Name: nkitb-2000.7.11-0.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/a1/ MD5 Checksum: 118075b7fc295be86b3659bf9b3fa778 SuSE-6.3 Package Name: nkita-2000.10.4-0.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/ MD5 Checksum: 6c5932e4083de6f499e4c77fcadbffc1 SuSE-6.2 Package Name: nkita-2000.10.4-0.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/ MD5 Checksum: 49269283c6d39a234f61303b2e918413 SuSE-6.1 Package Name: nkita-2000.10.4-0.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/ MD5 Checksum: 2fe1c6d70fcf1272da95f33ad7ad1010 Sparc Platform: SuSE-7.0 Package Name: nkitb-2000.10.4-0.sparc.rpm ftp://ftp.suse.com/pub/suse/sparc/update/7.0/a1/ MD5 Checksum: e9bc3512b6182f540e74308c02d81f65 AXP Alpha Platform: SuSE-6.4 Package Name: nkitb-2000.10.4-0.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/a1/ MD5 Checksum: 7850969c7b3beaf3fd1ce8b2a9246be0 SuSE-6.3 Package Name: nkita-2000.10.4-0.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/ MD5 Checksum: 6440a6a7da903829cff57a5f8c7cda91 PPC Power PC Platform: SuSE-7.0 Package Name: nkitb-2000.10.5-0.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.0/a1/ MD5 Checksum: 407d1c6731228f5d3e9addd108d31224 SuSE-6.4 Package Name: nkitb-2000.10.4-0.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/a1/ MD5 Checksum: c432a5b8d37640be6e325ef9603f9cba http://www.linuxsecurity.com/advisories/suse_advisory-810.html * SuSE: 'gnorpm' update October 16th, 2000 Insecure temporary file handling may cause the gnorpm package to overwrite arbitrary files on the system. As a workaround solution it is recommended to make sure that no active user processes on the system while performing software updates with gnorpm. This can be accomplished by bringing the linux system down to runlevel 1(multi-user without network) and starting the network by hand (rci4l_hardware start; rci4l start;rcnetwork start; rcroute start). i386 Intel Platform: SuSE-7.0 Package Name: gnorpm-0.95-3.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.0/gnm3/ MD5 Checksum:6aa5ea031f48d903bf3fb4e2328fc4c7 SuSE-6.4 Package Name:gnorpm-0.95-3.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/gnm3/ MD5 Checksum: 2f47a772c634c35d989078287668e67d Sparc Platform: SuSE-7.0 Package Name:gnorpm-0.9-159.sparc.rpm ftp://ftp.suse.com/pub/suse/sparc/update/7.0/gnm3/ MD5 Checksum: 467a2839f7df52c31eb42b97ebb8dd0d AXP Alpha Platform: SuSE-6.4 Package Name:gnorpm-0.95-4.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/gnm3/ MD5 Checksum: b99a121e1469f958413b26eef1fd7ce9 PPC Power PC Platform: SuSE-6.4 Package Name: gnorpm-0.95-3.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/gnm3/ MD5 Checksum: 9ad07eb2c2c437ed427d8ec5cb2b8439 http://www.linuxsecurity.com/advisories/suse_advisory-809.html +---------------------------------+ | TurboLinux Advisories | ----------------------------// +---------------------------------+ * TurboLinux: 'traceroute' vulnerability October 17th, 2000 There is a bug in the traceroute command that can possibly be use by local users to obtain super user privilege. It is suggested to upgrade your traceroute to the version provided. Package Name: traceroute-1.4a7-2.i386.rpm ftp://ftp.turbolinux.com/pub/updates/6.0/ MD5 Checksum: 1cf930da2a35d76ed3a9f76040a8a925 http://www.linuxsecurity.com/advisories/turbolinux_advisory-812.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, Oct 20th 2000 vuln-newsletter-admins (Oct 20)