Information Security News mailing list archives
Linux Advisory Watch - January 19th 2001
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 19 Jan 2001 01:11:34 -0500
+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| January 19th, 2001 Volume 2, Number 3a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave () linuxsecurity com ben () linuxsecurity com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for php4, inn, dhcpd, zope,
stunnel, joe, bash, syslog-ng, openssh, linuxconf, wu-ftpd, glibc,
and diffutils/squid. The vendors include Conectiva, Caldera,
FreeBSD, Mandrake, and Trustix.
Are you vulnerable? A self-propagating worm known as Ramen is exploiting
multiple Red Hat 6.2-7.0 systems. Servers running wu-ftp, rpc.statd, or
LPRng could be vulnerable to this exploit. After attacking a system, Ramen
defaces index.html if it is a webserver, and then continues to scan for
other vulnerable systems. Internet Security Systems, Inc. has written a
detailed overview of Ramen.
It can be found here:
http://www.linuxsecurity.com/articles/network_security_article-2335.html
* Our list of Red Hat advisories are located here:
http://www.linuxsecurity.com/advisories/redhat.html
Although Red Hat servers seem to be the only systems specifically
targeted, that does not rule out the possibility that other distros
are vulnerable, especially those derived from Red Hat. This is yet
another example of how vulnerability awareness and proactivness can
help you defend your network.
# FREE VISOR with purchase of Guardian Digital's Linux Lockbox #
Guardian Digital has just announced an offer for a free Handspring
Visor with the purchase of any secure Linux Lockbox. The Lockbox is
an Open Source network server appliance engineered to be a complete
secure e-business solution. It can be used as a commerce server, web
server, DNS, mail, and database server. Please see Guardian
Digital's website for details.
http://www.guardiandigital.com/visoroffer.html
# OpenDoc Publishing #
Our sponsor this week is OpenDoc Publishing. Their 480-page
comprehensive security book, Securing and Optimizing Linux, takes a
hands-on approach to installing, optimizing, configuring, and
securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL,
ApacheSSL, OpenSSH and much more! Includes Red
Hat 6.2 and Red Hat 6.2 PowerTools edition.
http://www.linuxsecurity.com/sponsors/opendocs.html
HTML Version of Newsletter:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| Conectiva | ----------------------------//
+---------------------------------+
* Conectiva: 'php4' vulnerability
January 18th, 2001
All versions of PHP 4.0, from PHP 4.0.0 (and possibly earlier betas)
through PHP 4.0.4 are vulnerable to these problems. Note that only
the Apache module version of PHP is vulnerable - the CGI module as
well as other server modules are *NOT* affecgted.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1060.html
+---------------------------------+
| Caldera | ----------------------------//
+---------------------------------+
* Caldera: 'inn' temp file vulnerability
January 16th, 2001
INN uses a temporary directory for several operations. Those
operations use it in a unsecure manner, which would allow an attacker
to gain access to the 'news' user. Since INN is not supposed to work
in a public temporary directory, please use the described workaround
to change the temp directory to a news private one.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1057.html
* Caldera: 'dhcpd' vulnerability
January 16th, 2001
The DHCP server and client shipped as part of OpenLinux had security
problems in the error logging code. An attacker can potentially
overflow a static buffer, and provide a string containing formatting
directives.
RPMS/dhcp2-2.0-1.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
7d97d64396ab2ac7985cc2f0289850c9
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1058.html
* Caldera: 'mgetty' temp file vulnerability
January 16th, 2001
It is possible to specify PHP directives on a per-directory basis
under apache. In the vulnerable versions of PHP, a remote attacker
could craft an HTTP request that would cause the next page to be
served with the wrong values for these directives.
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1059.html
+---------------------------------+
| FreeBSD | ----------------------------//
+---------------------------------+
* FreeBSD: 'joe' creates insecure recovery files
January 15th, 2001
Malicious local users, under certain restricted conditions, may
obtain read access to non-readable files edited using the joe editor.
If you have not chosen to install the joe port/package, then your
system is not vulnerable to this problem
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/editors/joe-2.8_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/
packages-5-current/editors/joe-2.8_2.tgz
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1053.html
* FreeBSD: 'bash1' creates insecure temporary file
January 15th, 2001
Unprivileged local users can cause an arbitrary file writable by a
victim to be overwritten when the victim invokes the '<<' operator in
bash1 (e.g. from within a shell script). If you have not chosen to
install the bash1 port/package, then your system is not vulnerable to
this problem.
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/shells/bash-1.14.7.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/
packages-5-current/shells/bash-1.14.7.tgz
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1054.html
* FreeBSD: 'syslog-ng' remote DoS
January 15th, 2001
Malicious remote attackers may cause syslog-ng to crash, causing a
denial-of-service if the daemon is not running under a watchdog
process which will automatically restart it in the event of failure.
The default installation of the port/package is therefore vulnerable
to this problem.
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/sysutils/syslog-ng-1.4.10.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/
packages-5-current/sysutils/syslog-ng-1.4.10.tgz
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1055.html
* FreeBSD: 'openssh' vulnerability
January 15th, 2001
Hostile SSH servers can access your X11 display or your ssh-agent
when connected to, which may allow access to confidential data or
other network accounts, through snooping of password or keying
material through the X11 session, or reuse of the SSH credentials
obtained through the SSH agent.
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/security/openssh-2.2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/
packages-5-current/security/openssh-2.2.0.tgz
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1056.html
* FreeBSD: 'zope' privilege escalation vulnerability
January 15th, 2001
Zope users with privileges in one folder may be able to gain the same
privileges in other folders. If you have not chosen to install the
zope port/package, then your system is not vulnerable to this
problem.
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1051.html
* FreeBSD: 'stunnel' root compromise potential
January 15th, 2001
Malicious remote users may execute arbitrary code on the local system
as the user running stunnel using stunnel, under certain
ircumstances. If you have not chosen to install the stunnel
port/package, then your system is not vulnerable to this problem.
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/security/stunnel-3.10.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/
packages-5-current/security/stunnel-3.10.tgz
Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1052.html
+---------------------------------+
| Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: 'glibc' vulnerability
January 18th, 2001
The LD_PRELOAD variable in the GNU C Library is honoured normally
even for SUID/SGID applications (but removed afterwards from the
environment) if it does not contain '/' characters. There is a
special check which only preloads found libraries if they have the
SUID bit set.
7.2/RPMS/glibc-2.1.3-18.3mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
4720a8d7f0c973a3eec8a7539766b590
7.2/RPMS/glibc-devel-2.1.3-18.3mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
fcdbafc369120fb5a81566fd3cdabe03
7.2/RPMS/glibc-profile-2.1.3-18.3mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
df76db4b226004082bbc0eb4d1034e87
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1061.html
* Mandrake: 'wu-ftpd' vulnerability
January 14th, 2001
WireX discovered a temporary file creation bug in the 2.6.1 release
of wu-ftpd. The problem exists in the privatepw helper program. As
well, Linux-Mandrake 7.2 users must update to this package as it
fixes security problems as discussed in the prior advisory,
DKSA-2000:014, which had not been previously addressed for 7.2.
7.2/RPMS/wu-ftpd-2.6.1-8.3mdk.i586.rpm
http://www.linux-mandrake.com/en/ftp.php3
4a0d0bd05592b44e8b8cb4915223b789
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1049.html
* Mandrake: 'linuxconf' vulnerability
January 14th, 2001
WireX discovered a potential temporary file race problem in the
vpop3d program in the linuxconf package. This update corrects the
problem.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1048.html
+---------------------------------+
| Trustix | ----------------------------//
+---------------------------------+
* Trustix: 'diffutils' and 'squid' vulnerabilities
January 12th, 2001
Trustix today released updated versions of the diffutils and squid
packages with patches fixing insecure tempfile handling leading to
potential local root compromise.
diffutils-2.7-18tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/
843a08cbe2a02b7a3a9c5495c2a005bf
squid-2.3.STABLE4-3tr.i586.rpm
ftp://ftp.trustix.net/pub/Trustix/updates/
ef5fa6722ffae66a9fd19f9e24c2c8e9
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1047.html
* PHP Security Advisory - Apache Module bugs
January 15th, 2001
All versions of PHP 4.0, from PHP 4.0.0 (and possibly earlier betas)
through PHP 4.0.4 are vulnerable to these problems. Note that only
the Apache module version of PHP is vulnerable - the CGI module as
well as other server modules are *NOT* affecgted.
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1050.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request () linuxsecurity com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Current thread:
- Linux Advisory Watch - January 19th 2001 vuln-newsletter-admins (Jan 21)