Information Security News mailing list archives
Linux Advisory Watch - January 19th 2001
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 19 Jan 2001 01:11:34 -0500
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | January 19th, 2001 Volume 2, Number 3a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for php4, inn, dhcpd, zope, stunnel, joe, bash, syslog-ng, openssh, linuxconf, wu-ftpd, glibc, and diffutils/squid. The vendors include Conectiva, Caldera, FreeBSD, Mandrake, and Trustix. Are you vulnerable? A self-propagating worm known as Ramen is exploiting multiple Red Hat 6.2-7.0 systems. Servers running wu-ftp, rpc.statd, or LPRng could be vulnerable to this exploit. After attacking a system, Ramen defaces index.html if it is a webserver, and then continues to scan for other vulnerable systems. Internet Security Systems, Inc. has written a detailed overview of Ramen. It can be found here: http://www.linuxsecurity.com/articles/network_security_article-2335.html * Our list of Red Hat advisories are located here: http://www.linuxsecurity.com/advisories/redhat.html Although Red Hat servers seem to be the only systems specifically targeted, that does not rule out the possibility that other distros are vulnerable, especially those derived from Red Hat. This is yet another example of how vulnerability awareness and proactivness can help you defend your network. # FREE VISOR with purchase of Guardian Digital's Linux Lockbox # Guardian Digital has just announced an offer for a free Handspring Visor with the purchase of any secure Linux Lockbox. The Lockbox is an Open Source network server appliance engineered to be a complete secure e-business solution. It can be used as a commerce server, web server, DNS, mail, and database server. Please see Guardian Digital's website for details. http://www.guardiandigital.com/visoroffer.html # OpenDoc Publishing # Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html HTML Version of Newsletter: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Conectiva | ----------------------------// +---------------------------------+ * Conectiva: 'php4' vulnerability January 18th, 2001 All versions of PHP 4.0, from PHP 4.0.0 (and possibly earlier betas) through PHP 4.0.4 are vulnerable to these problems. Note that only the Apache module version of PHP is vulnerable - the CGI module as well as other server modules are *NOT* affecgted. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1060.html +---------------------------------+ | Caldera | ----------------------------// +---------------------------------+ * Caldera: 'inn' temp file vulnerability January 16th, 2001 INN uses a temporary directory for several operations. Those operations use it in a unsecure manner, which would allow an attacker to gain access to the 'news' user. Since INN is not supposed to work in a public temporary directory, please use the described workaround to change the temp directory to a news private one. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1057.html * Caldera: 'dhcpd' vulnerability January 16th, 2001 The DHCP server and client shipped as part of OpenLinux had security problems in the error logging code. An attacker can potentially overflow a static buffer, and provide a string containing formatting directives. RPMS/dhcp2-2.0-1.i386.rpm ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/ 7d97d64396ab2ac7985cc2f0289850c9 Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1058.html * Caldera: 'mgetty' temp file vulnerability January 16th, 2001 It is possible to specify PHP directives on a per-directory basis under apache. In the vulnerable versions of PHP, a remote attacker could craft an HTTP request that would cause the next page to be served with the wrong values for these directives. PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1059.html +---------------------------------+ | FreeBSD | ----------------------------// +---------------------------------+ * FreeBSD: 'joe' creates insecure recovery files January 15th, 2001 Malicious local users, under certain restricted conditions, may obtain read access to non-readable files edited using the joe editor. If you have not chosen to install the joe port/package, then your system is not vulnerable to this problem ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/editors/joe-2.8_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/ packages-5-current/editors/joe-2.8_2.tgz Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1053.html * FreeBSD: 'bash1' creates insecure temporary file January 15th, 2001 Unprivileged local users can cause an arbitrary file writable by a victim to be overwritten when the victim invokes the '<<' operator in bash1 (e.g. from within a shell script). If you have not chosen to install the bash1 port/package, then your system is not vulnerable to this problem. ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/shells/bash-1.14.7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/ packages-5-current/shells/bash-1.14.7.tgz Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1054.html * FreeBSD: 'syslog-ng' remote DoS January 15th, 2001 Malicious remote attackers may cause syslog-ng to crash, causing a denial-of-service if the daemon is not running under a watchdog process which will automatically restart it in the event of failure. The default installation of the port/package is therefore vulnerable to this problem. ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/sysutils/syslog-ng-1.4.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/ packages-5-current/sysutils/syslog-ng-1.4.10.tgz Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1055.html * FreeBSD: 'openssh' vulnerability January 15th, 2001 Hostile SSH servers can access your X11 display or your ssh-agent when connected to, which may allow access to confidential data or other network accounts, through snooping of password or keying material through the X11 session, or reuse of the SSH credentials obtained through the SSH agent. ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/security/openssh-2.2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/ packages-5-current/security/openssh-2.2.0.tgz Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1056.html * FreeBSD: 'zope' privilege escalation vulnerability January 15th, 2001 Zope users with privileges in one folder may be able to gain the same privileges in other folders. If you have not chosen to install the zope port/package, then your system is not vulnerable to this problem. PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1051.html * FreeBSD: 'stunnel' root compromise potential January 15th, 2001 Malicious remote users may execute arbitrary code on the local system as the user running stunnel using stunnel, under certain ircumstances. If you have not chosen to install the stunnel port/package, then your system is not vulnerable to this problem. ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/security/stunnel-3.10.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/ packages-5-current/security/stunnel-3.10.tgz Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1052.html +---------------------------------+ | Mandrake | ----------------------------// +---------------------------------+ * Mandrake: 'glibc' vulnerability January 18th, 2001 The LD_PRELOAD variable in the GNU C Library is honoured normally even for SUID/SGID applications (but removed afterwards from the environment) if it does not contain '/' characters. There is a special check which only preloads found libraries if they have the SUID bit set. 7.2/RPMS/glibc-2.1.3-18.3mdk.i586.rpm http://www.linux-mandrake.com/en/ftp.php3 4720a8d7f0c973a3eec8a7539766b590 7.2/RPMS/glibc-devel-2.1.3-18.3mdk.i586.rpm http://www.linux-mandrake.com/en/ftp.php3 fcdbafc369120fb5a81566fd3cdabe03 7.2/RPMS/glibc-profile-2.1.3-18.3mdk.i586.rpm http://www.linux-mandrake.com/en/ftp.php3 df76db4b226004082bbc0eb4d1034e87 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1061.html * Mandrake: 'wu-ftpd' vulnerability January 14th, 2001 WireX discovered a temporary file creation bug in the 2.6.1 release of wu-ftpd. The problem exists in the privatepw helper program. As well, Linux-Mandrake 7.2 users must update to this package as it fixes security problems as discussed in the prior advisory, DKSA-2000:014, which had not been previously addressed for 7.2. 7.2/RPMS/wu-ftpd-2.6.1-8.3mdk.i586.rpm http://www.linux-mandrake.com/en/ftp.php3 4a0d0bd05592b44e8b8cb4915223b789 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1049.html * Mandrake: 'linuxconf' vulnerability January 14th, 2001 WireX discovered a potential temporary file race problem in the vpop3d program in the linuxconf package. This update corrects the problem. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1048.html +---------------------------------+ | Trustix | ----------------------------// +---------------------------------+ * Trustix: 'diffutils' and 'squid' vulnerabilities January 12th, 2001 Trustix today released updated versions of the diffutils and squid packages with patches fixing insecure tempfile handling leading to potential local root compromise. diffutils-2.7-18tr.i586.rpm ftp://ftp.trustix.net/pub/Trustix/updates/ 843a08cbe2a02b7a3a9c5495c2a005bf squid-2.3.STABLE4-3tr.i586.rpm ftp://ftp.trustix.net/pub/Trustix/updates/ ef5fa6722ffae66a9fd19f9e24c2c8e9 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1047.html * PHP Security Advisory - Apache Module bugs January 15th, 2001 All versions of PHP 4.0, from PHP 4.0.0 (and possibly earlier betas) through PHP 4.0.4 are vulnerable to these problems. Note that only the Apache module version of PHP is vulnerable - the CGI module as well as other server modules are *NOT* affecgted. Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1050.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch - January 19th 2001 vuln-newsletter-admins (Jan 21)