Information Security News mailing list archives
Linux Advisory Watch - February 9th 2001
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 9 Feb 2001 00:17:31 -0500
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | February 9th, 2000 Volume 2, Number 6a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for glibc, proftp, bind, ja-xklock, ja-elvis, ja-helvis, dc20ctrl, mars_nwe, XEmacs, SSH1, slocate, and the 2.2/2.4 kernel. The vendors include Caldera, Conectiva, FreeBSD, Immunix, Red Hat, and TurboLinux. Caldera's kernel advisory can not be ignored. They report that an attacker can read large parts of the kernel's memory by bypassing a negative offset to sysctl(). Also, a race condition exist that may allow an attacker to modify running processes. Also this week, FreeBSD releases many advisories that may lead to root compromises. We advise that you update immediately. Real World Linux Security: Bob Toxen's Perspective: In this interview, Bob introduces his new book, discusses the "seven deadly sins" of Linux security, and outlines the benefits of the open source software model. He also points out the pitfalls that many system administrators fall into and how to avoid them. http://www.linuxsecurity.com/feature_stories/feature_story-76.html # OpenDoc Publishing # Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html HTML Version of Newsletter: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Conectiva | ----------------------------// +---------------------------------+ * Conectiva: 'proftp' DoS February 8th, 2001 1) A memoy leak will happen everytime a SIZE command is given, provided that the scoreboard file is not writable. The default installation is *not* vulnerable to this problem; 2) A similar problem existed with the USER command. Every USER command would cause the server to use more memory. ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ proftpd-1.2.0rc3-1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/ proftpd-doc-1.2.0rc3-1cl.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1143.html * Conectiva: 'glibc' local vulnerability February 5th, 2001 Local vulnerabilities were found in the glibc package shipped with Conectiva Linux that would allow an attacker to overwrite any file on the system. Many environment variables were honored when running a SUID program, and it was shown that even "trusted" libraries could be used to overwrite files on the system. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1130.html +---------------------------------+ | Caldera | ----------------------------// +---------------------------------+ * Caldera: two kernel security problems February 8th, 2001 There are two security problems in 2.2 and 2.4 kernels. By passing a negative offset to sysctl(), an attacker can read large parts of Linux kernel memory. In addition, a race condition has been discovered that allows an attacker to attach via ptrace to a setuid process, allowing him to modify the running process. ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ RPMS/linux-source-i386-2.2.10-11.i386.rpm 0d779697b36fbad15c66fa5fb050982c Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1141.html +---------------------------------+ | FreeBSD | ----------------------------// +---------------------------------+ * FreeBSD: 'ja-elvis' and 'ko-helvis' ports vulnerability February 7th, 2001 Unprivileged local users may gain root privileges on the local system. If you have not chosen to install the ja-elvis or ko-helvis ports/packages, then your system is not vulnerable to this problem. PLEASE SEE VENDOR ADVISORY FOR UPDATED PACKAGES Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1138.html * FreeBSD: 'dc20ctrl' ports vulnerability February 7th, 2001 Unprivileged local users may gain increased privileges on the local system including potentially unauthorized access to the serial port devices. If you have not chosen to install the dc20ctrl port/package, then your system is not vulnerable to this problem. ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/graphics/dc20ctrl-0.4_1.tgz Vendor Advisory: http://www.linuxsecurity.com/advisories/index.html * FreeBSD: 'mars_nwe' ports vulnerability February 7th, 2001 Malicious remote users may cause arbitrary code to be executed on the local system, potentially gaining root access. If you have not chosen to install the mars_nwe port/package, then your system is not vulnerable to this problem. ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/net/mars_nwe-0.99.b19_1.tgz Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1140.html * FreeBSD: 'bind' vulnerabilies [UPDATED] February 7th, 2001 Malicious remote users can cause the named daemon to crash, if it is configured to allow zone transfers and recursive queries. i386 ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-3-stable/net/bind-8.2.2p7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-4-stable/net/bind-8.2.2p7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/net/bind-8.2.2p7.tgz Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1134.html * FreeBSD: 'ja-xklock' ports vulnerability February 7th, 2001 Malicious remote users can cause the named daemon to crash, if it is configured to allow zone transfers and recursive queries. Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1136.html +---------------------------------+ | Immunix | ----------------------------// +---------------------------------+ * Immunix: 'glibc' vulnerability [UPDATED] February 5th, 2001 The glibc packages that WireX released for Immunix 6.2 on January 19, 2001 in advisory IMNX-2000-62-043-01, did not fix the security problems outlined that they intended to. New glibc packages have been released which fix the glibc security problem. As an added bonus, these packages also allow Kylix to run properly on Immunix 6.2. http://immunix.org/ImmunixOS/6.2/updates/RPMS/ glibc-2.1.3-22_StackGuard_3.i386.rpm ae87b4f205f8f03711fd99c19647624c http://immunix.org/ImmunixOS/6.2/updates/RPMS/ glibc-devel-2.1.3-22_StackGuard_3.i386.rpm f8de4cf2334af98dd2999227403a493a http://immunix.org/ImmunixOS/6.2/updates/RPMS/ glibc-profile-2.1.3-22_StackGuard_3.i386.rpm 33631d683818f8ca419a18fb40c19194 http://immunix.org/ImmunixOS/6.2/updates/RPMS/ scd-2.1.3-22_StackGuard_3.i386.rpm 6ab5d6610b63eaeb15218cb0698cf8f1 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1131.html +---------------------------------+ | Red Hat | ----------------------------// +---------------------------------+ * Red Hat 7.0: 'XEmacs' vulnerability February 6th, 2001 The XEmacs package as shipped with Red Hat Linux 7 has a security problem with gnuserv and gnuclient. i386: ftp://updates.redhat.com/7.0/i386/xemacs-21.1.14-2.7.i386.rpm 916e1d40cdf26266c7ae0b04c6e4ade6 ftp://updates.redhat.com/7.0/i386/xemacs-el-21.1.14-2.7.i386.rpm 3a62c3d7f3867917c6ce1b2d55f4ea03 ftp://updates.redhat.com/7.0/i386/xemacs-info-21.1.14-2.7.i386.rpm 1d75d7880c07e884137665362c1b62f2 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1133.html * Red Hat 6.2: 'XEmacs' vulnerability February 6th, 2001 The XEmacs package as shipped with Red Hat PowerTools 6.2 has a security problem with gnuserv and gnuclient, due to a buffer overflow and weak security. i386: ftp://updates.redhat.com/powertools/6.2/i386/ xemacs-21.1.14-2.62.i386.rpm 661aae1be3097c403df3d38eb5f6ae80 ftp://updates.redhat.com/powertools/6.2/i386/ xemacs-el-21.1.14-2.62.i386.rpm 03fab61adb2f874f95dfc895e1ede878 ftp://updates.redhat.com/powertools/6.2/i386/ xemacs-info-21.1.14-2.62.i386.rpm bae82e4622a0b4b810eaa690446442b5 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1132.html +---------------------------------+ | TurboLinux | ----------------------------// +---------------------------------+ * TurboLinux: 'slocate' vulnerability February 8th, 2001 Secure Locate maintains an index of the entire filesystem, including files only visible by root. The slocate binary is setgid "slocate" so it can read this index. The heap-corruption vulnerability may com-promise disclosure of these files if exploited. When running slocate, users are able to specify a database of their own as a commandline parameter. A subtle vulnerability exists in slocate's reading of these user-supplied databases that may allow a local user to execute arbitrary code with effective gid slocate. ftp://ftp.turbolinux.com/pub/updates/6.0 security/slocate-2.3-2.i386.rpm 2218c7eff5c4541202417b78238b3174 Vendor Advisory: http://www.linuxsecurity.com/advisories/turbolinux_advisory-1142.html * SSH1 Session Key Vulnerability February 7th, 2001 A would be attacker could obtain and store all the encrypted packets belonging to a specific client-server connection but that would provide no real value unless she is able to: Decrypt them without having the session key used for the encryption This is equivalent to breaking the crypto algorithm used or Exploit some design or implementation problem on either client or server to obtain the session key and the proceed to decrypt the stored session using any implementation of the crypto algorithm used. Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1135.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch - February 9th 2001 vuln-newsletter-admins (Feb 09)