Information Security News mailing list archives
Linux Advisory Watch, October 6th 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 6 Oct 2000 13:36:02 -0400
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | October 6th, 2000 Volume 1, Number 23a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for lpr, LPRng, libutil, gnorpm, traceroute, and xinitrc. The vendors include Conectiva, Immunix, Mandrake, OpenBSD, and RedHat. It is critical that you update all vulnerable packages. One of the more serious advisories released this week is lpr. There is a format string bug in lpd that could potentially be exploited to gain local root access. There is also a bug in traceroute that could result as a local root compromise. HTML Version: http://www.linuxsecurity.com/vuln-newsletter.html -- OpenDoc Publishing ------------------------------------------// Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html +---------------------------------+ | Installing a new package: | ----------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing it. +---------------------------------+ | Conectiva Advisory | ----------------------------// +---------------------------------+ * Conectiva: 'lpr' vulnerability October 5th, 2000 There is a format bug in lpd in a syslog() call that could be used to obtain root access. The exploit would have to successfully inject format strings in a hostname to cause damage. Updated Package: lpr-0.50-6cl ftp://atualizacoes.conectiva.com.br/4.0/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.0es/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.1/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/4.2/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.0/i386/lpr-0.50-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/5.1/i386/lpr-0.50-6cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-757.html * Conectiva: 'gnorpm' vulnerability October 3rd, 2000 Gnorpm versions prior to 0.95 use files in the /tmp dir in an insecure manner. If gnorpm is run as root, this vulnerability could lead to any file on the system being overwritten by gnorpm. Updated Package: gnorpm-0.95.1-1cl ftp://atualizacoes.conectiva.com.br/5.1/RPMS/ Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-751.html * Conectiva: 'traceroute' local root exploit September 30th, 2000 Previous releases of traceroute contained some problems that could be exploited to gain local root access. All users should upgrade the traceroute package. Updated Pacakge: traceroute-1.4a7-2cl ftp://atualizacoes.conectiva.com.br/5.1/i386/ ftp://atualizacoes.conectiva.com.br/5.0/i386/ Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-747.html +---------------------------------+ | GnoRPM Advisory | ----------------------------// +---------------------------------+ * GnoRPM Vulnerability October 2nd, 2000 While fixing other problems with the gnorpm package a locally exploitable security hole was found where a normal user could trick root running GnoRPM into writing to arbitary files due to a bug in the gnorpm tmp file handling. Updated Package: gnorpm-0.95.1.tar.gz ftp://ftp.linux.org.uk:/pub/linux/alan/GNORPM/gnorpm-0.95.1.tar.gz 80521433f88fa09899e9105a24c69ef9 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-750.html +---------------------------------+ | Immunix Advisory | ----------------------------// +---------------------------------+ * Immunix: 'lpr' vulnerability October 4th, 2000 Packages have been built for Immunix OS 6.2 (StackGuarded versions of the RedHat packages.) Updated Package: lpr-0.50-7_StackGuard.i386.rpm http://immunix.org:8080/ImmunixOS/6.2/updates/RPMS/ 5f08dd8fadc05e71bbdafad6b2744dc8 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-755.html +---------------------------------+ | Mandrake Advisories | ----------------------------// +---------------------------------+ * Mandrake: 'lpr' vulnerability October 5th, 2000 There is a format string bug in lpr with its calls to the syslog facility. There are no known exploits at ths time, but it may be possible for a user to gain local root access. This new lpr fixes this problem. Updated Package: lpr-0.50-3mdk ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/ d19963294f539c64a4e852fb3f1f8c89 ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/ 128b012e397473163c1e2c1ed4b78806 ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ 0ce870aa142c3482bdd0ad7b72a422c1 ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ 6d82c047a905fea7edecc9bed347eae0 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-756.html * Mandrake: 'traceroute' vulnerability October 2nd, 2000 There is a bug in the traceroute program which causes segfaults and which could potentially be exploited to provide root privilege because the traceroute command is suid root. There are no known exploits currently, but users are encouraged to upgrade. Updated Package: traceroute-1.4a5-12mdk ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/ 1a4fa31d17673a14a19cc314109fea6f ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/ ff46d392fa729585f04ac4e00e9c55aa ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ 016b778a737cc26eab3b6c59757e135c ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ 956f739b513e353683f7a923ea716d06 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-749.html * Mandrake: 'xinitrc' vulnerability October 2nd, 2000 A problem exists in the /etc/X11/Xsession file which disables the Xauthority mechanism of the localhost. This means that anyone logged into the localhost can arbitrarily connect to an X server running on the localhost. This is only a problem with systems that allow remote logins and is not a problem on systems that do not support remote logins or multiple users. Updated Package: xinitrc-2.4.4-11mdk ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/ 9b93ae07b177ec62a2a3110924060bb4 ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/ 8984bca66a1cf8f178125435cc8c786d Vendory Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-748.html +---------------------------------+ | OpenBSD Advisory | ----------------------------// +---------------------------------+ * OpenBSD: libutil format string vulnerability October 4th, 2000 A format string vulnerability present in the pw_error() function of OpenBSD 2.7's libutil library can yield localhost users root access through the setuid /usr/bin/chpass utility. This particular vulnerability was repaired three months ago on June 30th in OpenBSD-current during a complete source tree audit for format string problems. * Patch available in vendor advisory. Vendor Advisory: http://www.linuxsecurity.com/advisories/openbsd_advisory-752.html +---------------------------------+ | Red Hat Advisories | ----------------------------// +---------------------------------+ * Redhat: 'LPRng' vulnerability October 4th, 2000 LPRng has a string format bug in the use_syslog function. This function returns user input in a string that is passed to the syslog() function as the format string. It is possible to corrupt the print daemon's execution with unexpected format specifiers, thus gaining root access to the computer. The vulnerability is theoretically exploitable both locally and remotely. Updated Package: LPRng-3.6.24-2 ftp://updates.redhat.com/7.0/i386/LPRng-3.6.24-2.i386.rpm 05251e71ae5f2d2fdbc6611eea6f8651 http://www.linuxsecurity.com/advisories/redhat_advisory-753.html * Redhat: 'lpr' vulnerability October 4th, 2000 lpr has a format string security bug. It also mishandles any extension to the lpd communication protocol, and assumes that the instructions contained in the extension are a file it should try to print. It also has a race condition in the handling of queue interactions that can cause the queue to wedge. Updated Package: lpr-0.50-7 ftp://updates.redhat.com/5.2/alpha/lpr-0.50-7.alpha.rpm ed03f53623add36f3b6da694c49c89c2 ftp://updates.redhat.com/5.2/sparc/lpr-0.50-7.sparc.rpm cc2da623757572ed07ab4d88c57422ae ftp://updates.redhat.com/5.2/i386/lpr-0.50-7.i386.rpm bf72425f9ddb0f8d9e2643fbea360f23 -- ftp://updates.redhat.com/6.2/alpha/lpr-0.50-7.alpha.rpm eaade33acd33346611b7171c2dd7ea03 ftp://updates.redhat.com/6.2/sparc/lpr-0.50-7.sparc.rpm 81a48e5d2d91d54d4ea8a4f9c89d5a41 ftp://updates.redhat.com/6.2/i386/lpr-0.50-7.i386.rpm 542a70425ac1b75fb78880fc08f01986 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-754.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, October 6th 2000 vuln-newsletter-admins (Oct 06)