Information Security News mailing list archives
Linux Advisory Watch - March 16th 2001
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 16 Mar 2001 10:14:27 -0500
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | March 16th, 2001 Volume 2, Number 11a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for imap, joe, gnuserv, zope, mailx, icecast, cfengine, rwhod, interbase, slrn, Mesa, sudo, sgml-tools, and mutt. The vendors include Caldera, Debian, Immunix, FreeBSD, Mandrake, Red Hat, and Trustix. * Guardian Digital Presents EnGarde Linux EnGarde is the next generation in Linux security providing a complete suite of e-business services, intrusion alert capabilities, improved authentication and access control utilizing strong cryptography, and complete SSL secure Web-based administration capabilities. http://www.engardelinux.org/preannounce.html HTML Version of Newsletter: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Caldera | ----------------------------// +---------------------------------+ * Caldera: buffer overflows in the 'imap' package March 12th, 2001 There are several buffer overflows in imap, ipop2d and ipop3d. These overflows usually only make it possible for local users to gain access to a process running under their own UID. imap-4.6.BETA-2.i386.rpm ftp://ftp.calderasystems.com/pub/updates/ OpenLinux/2.3/current/RPMS/ Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1206.html +---------------------------------+ | Debian | ----------------------------// +---------------------------------+ * Debian: 'mailx' buffer overflow March 13th, 2001 The mail program (a simple tool to read and send email) as distributed with Debian GNU/Linux 2.2 has a buffer overflow in the input parsing code. Since mail is installed setgid mail by default this allowed local users to use it to gain access to mail group. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/mailx_8.1.1-10.1.5_i386.deb MD5 checksum: 18d30b35676fa9887a626c46909c9d9d Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1212.html * Debian: 'zope' update March 9th, 2001 The issue involves the fact that the getRoles method of user objects contained in the default UserFolder implementation returns a mutabe Python type. Because the mutable object is still associated with the persistent User object, users with the ability to edit DTML could arrange to give themselves extra roles for the duration of a single request by mutating the roles list as a part of the request processing. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/zope_2.1.6-7_i386.deb MD5 checksum: 40d548dc5e6b8927baf59a6b0da7591c Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1203.html * Debian: 'gnuserv', 'xemacs21' vulnerabilities March 9th, 2001 Gnuserv has a buffer for which insufficient boundary checks were made. Unfortunately this buffer affected access control to gnuserv which is using a MIT-MAGIC-COOCKIE based system. It is possible to overflow the buffer containing the cookie and foozle cookie comparison. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1202.html * Debian: 'joe' vulnerability March 9th, 2001 joe will look for a configuration file in three locations: the current directory, the users homedirectory ($HOME) and in /etc/joe. Since the configuration file can define commands joe will run (for example to check spelling) reading it from the current directory can be dangerous: an attacker can leave a .joerc file in a writable directory, which would be read when a unsuspecting user starts joe in that directory. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/joe_2.8-15.3_i386.deb MD5 checksum: 39f680f8fde72d0958431f617e774123 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1201.html +---------------------------------+ | Immunix | ----------------------------// +---------------------------------+ * Immunix: 'mutt' format string vulnerability & more March 15th, 2001 Immunix 7.0 does not install the mutt package by default but provides it in the extras/unsupported directory so it does not need to be upgraded unless it has been installed manually by the system administrator. http://immunix.org/ImmunixOS/6.2/updates/RPMS/ mutt-1.2.5i-8.6_StackGuard.i386.rpm Vendor Advisory: * Immunix: 'slrn' buffer overflow March 15th, 2001 A buffer overflow in the slrn news reader has been reported by Bill Nottingham. This buffer is created on the heap, so it is not protected from overflows by the StackGuard compiler. http://immunix.org/ImmunixOS/6.2/updates/RPMS/ slrn-0.9.6.4-0.6_StackGuard.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1221.html * Immunix: 'sgml-tools' vulnerabilities March 15th, 2001 Previous versions of the sgml-tools package would create temporary files without any special permissions in the /tmp directory. This could allow any user to read files that were being created by any other user. Precompiled binary package for Immunix 6.2 is available at: http://immunix.org/ImmunixOS/6.2/updates/RPMS/ sgml-tools-1.0.9-6.2_StackGuard.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1222.html +---------------------------------+ | FreeBSD | ----------------------------// +---------------------------------+ * FreeBSD: 'interbase' ports vulnerability March 13th, 2001 Remote users who can connect to the interbase database server can obtain full access to all databases using a backdoor account built into the server itself. This account cannot be disabled. PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1211.html * FreeBSD: 'icecast' ports vulnerability March 13th, 2001 Arbitrary remote users can execute arbitrary code on the local system as the user running icecast, usually the root user. If you have not chosen to install the icecast port/package, then your system is not vulnerable to this problem. ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/audio/icecast-1.3.7_1.tgz Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1207.html * FreeBSD: 'cfengine' ports vulnerability March 13th, 2001 Arbitrary remote users can execute code on the local system as the user running cfengine, usually user root. If you have not chosen to install the cfengine port/package, then your system is not vulnerable to this problem. ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ packages-5-current/sysutils/cfengine-1.6.3.tar.gz Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1208.html * FreeBSD: 'rwhod' DoS March 13th, 2001 Malformed packets sent to the rwhod daemon could cause it to crash, thereby denying service to clients if rwhod is not run under a watchdog process which causes it to automatically restart in the event of a failure. The rwhod daemon is not run in this way in the default invocation from /etc/rc.conf using the rwhod_enable variable. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:29/rwhod.patch Vendor Advisory: http://www.linuxsecurity.com/advisories/freebsd_advisory-1210.html +---------------------------------+ | Mandrake | ----------------------------// +---------------------------------+ * Mandrake: 'sgml-tools' vulnerabilities March 15th, 2001 A buffer overflow exists in versions of the slrn news reader prior to 0.9.6.3pl4 as reported by Bill Nottingham. This problem exists in the wrapping/unwrapping functions and a long header in a message might overflow a buffer which could result in execution of arbitrary code encoded in the message. 7.2/RPMS/sgml-tools-1.0.9-8.1mdk.i586.rpm c5e48714e3da71f692e447eb942a368b http://www.linux-mandrake.com/en/ftp.php3 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1219.html * Mandrake: 'Mesa' vulnerability March 14th, 2001 Ben Collins identified a temporary file race in the Utah-glx component of the Mesa package which affects Linux-Mandrake 7.2. The /tmp/glxmemory file is created by Utah-glx and because it is not created securely could be used in a symlink attack which allows files to be overwritten the next time the X server is started. http://www.linux-mandrake.com/en/ftp.php3 7.2/RPMS/Mesa-3.3-14.1mdk.i586.rpm d75f85f30af6c8fb57938b76323067ce 7.2/RPMS/Mesa-common-3.3-14.1mdk.i586.rpm 1a8bddaf0f26c5d1caa5c3af44d1c108 7.2/RPMS/Mesa-common-devel-3.3-14.1mdk.i586.rpm ffd886a66f866faaf9ae0b7402644cde 7.2/RPMS/Mesa-demos-3.3-14.1mdk.i586.rpm c9f32276cd54d8772c31afba619bf856 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1214.html * Mandrake: 'sudo' buffer overflow March 14th, 2001 A buffer overflow exists in the sudo program which could be used by an attacker to obtain higher privileges. sudo is a program used to delegate superuser privileges to ordinary users and only for specific commands. http://www.linux-mandrake.com/en/ftp.php3 7.2/RPMS/sudo-1.6.3p6-1.1mdk.i586.rpm fe583824271ac2a5af6dd533027e8794 Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1215.html * Mandrake: 'slrn' buffer overflow March 9th, 2001 A buffer overflow exists in versions of the slrn news reader prior to 0.9.6.3pl4 as reported by Bill Nottingham. This problem exists in the wrapping/unwrapping functions and a long header in a message might overflow a buffer which could result in execution of arbitrary code encoded in the message. PLEASE SEE VENDOR ADVISORY Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1205.html +---------------------------------+ | Red Hat | ----------------------------// +---------------------------------+ * Red Hat: 'mutt' format string vulnerability March 15th, 2001 It is recommended that all mutt users using Red Hat Linux upgrade to the new packages. The version of mutt shipped in Red Hat Linux 7.0 does not contain the format string vulnerability; it is merely a bugfix update. 7.0 i386: ftp://updates.redhat.com/7.0/i386/mutt-1.2.5i-8.7.i386.rpm 0d528824313b49c60a21a513e1056067 6.2 i386: ftp://updates.redhat.com/6.2/i386/mutt-1.2.5i-8.6.i386.rpm 362d9fcec4018f1c59ef43be0a276807 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1217.html * Red Hat: 'sgml-tools' vulnerability March 15th, 2001 Temporary files were created without any special permissions, and so in most cases would be world-readable. The fixed packages create a secure temporary directory first (readable only by the owner), and then create temporary files inside that. 6.2 i386: ftp://updates.redhat.com/7.0/i386/sgml-tools-1.0.9-9.i386.rpm 16a855840b74f58d41c4774a7dcc7cff 7.0 i386: ftp://updates.redhat.com/6.2/i386/sgml-tools-1.0.9-6.2.i386.rpm 9e6a04a8e0b6e18f33c58fb7c02937b2 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1218.html * Red Hat: 'slrn' overflow March 14th, 2001 An overflow exists in the slrn pacakge as shipped in Red Hat Linux 7 and Red Hat Linux 6.x, which could possibly lead to remote users executing arbitrary code as the user running slrn. i386: ftp://updates.redhat.com/7.0/i386/slrn-0.9.6.4-0.7.i386.rpm dd601a7324b5589326a5d92d3d2ee27f ftp://updates.redhat.com/7.0/i386/slrn-pull-0.9.6.4-0.7.i386.rpm d49c0b47e967bd9abdb7fec655b8e3ff Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1216.html +---------------------------------+ | Trustix | ----------------------------// +---------------------------------+ Trustix: 'sudo' buffer overflow - 3/14/2001 Trustix today released an updated version of the sudo package fixing a buffer overflow, as announced by the sudo maintainer Todd C. Miller. sudo-1.6.3p6-1tr.i586.rpm cc969c9746bea3ff01470c1eaf3ee415 ftp://ftp.trustix.net/pub/Trustix/updates/ Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1213.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch - March 16th 2001 vuln-newsletter-admins (Mar 16)