Information Security News mailing list archives
Linux Advisory Watch - March 9th 2001
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 9 Mar 2001 10:40:57 -0500
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | March 9th, 2001 Volume 2, Number 10a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. Debian, Debian, Debian! If your using Debian, its time to update. 13 advisories were just recently released. This week, advisories were released for Zope, mail, mgetty, proftpd, sudo, analog, ePerl, man2html, mc, nextaw, sgml-tools, glibc, slrn, joe, and cups. The vendors include Conectiva, Caldera, Debian, Mandrake, Red Hat, SuSE, and Immunix. FREE SECURITY BOOKS - Guardian Digital has just announced an offer for free 2 free security books with the purchase of any secure Linux Lockbox. The Lockbox is an Open Source network server appliance engineered to be a complete secure e-business solution. It can be used as a commerce server, web server, DNS, mail, and database server. http://www.guardiandigital.com/bookoffer.html HTML Version of Newsletter: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Conectiva | ----------------------------// +---------------------------------+ * Conectiva: 'Zope' vulnerabilities March 2nd, 2001 The Zope authors have released a new hotfix that addresses a vulnerability with ZClasses. A user with through-the-web scripting capabilities on a Zope site can view and assign class attributes to ZClasses, possibly allowing PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1180.html +---------------------------------+ | Caldera | ----------------------------// +---------------------------------+ * Caldera: '/bin/mail' buffer overflow March 2nd, 2001 There is a buffer overflow in /bin/mail which allows a local attacker to read, modify and delete mails of other users of the system. ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ abc1ee0ce4d52ba1dd7059167af66cdc Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-1181.html +---------------------------------+ | Debian | ----------------------------// +---------------------------------+ * Debian: UPDATE: 'proftpd' vulnerabilities March 8th, 2001 This is an update to the DSA-032-1 advisory. The powerpc package that was listed in that advisory was unfortunately compiled on the wrong system which caused it to not work on a Debian GNU/Linux 2.2 system. PowerPC architecture: http://security.debian.org/dists/stable/updates/main/ binary-powerpc/proftpd_1.2.0pre10-2.0potato1.1_powerpc.deb MD5 checksum: 710e1b324dc8962c14919d0e58078740 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1199.html * Debian: 'glibc' vulnerabilities March 8th, 2001 It was possible to use LD_PRELOAD to load libraries that are listed in /etc/ld.so.cache, even for suid programs. This could be used to create (and overwrite) files which a user should not be allowed to. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1198.html * Debian: 'slrn' buffer overflow March 8th, 2001 Bill Nottingham reported a problem in the wrapping/unwrapping functions of the slrn newsreader. A long header in a message might overflow a buffer and which could result into executing arbitraty code encoded in the message. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/slrn_0.9.6.2-9potato1_i386.deb MD5 checksum: c871721245934e479a70fc712fa24021 http://security.debian.org/dists/stable/updates/main/ binary-i386/slrnpull_0.9.6.2-9potato1_i386.deb MD5 checksum: 2e8c43ac86e3a28ca5c65f40c47315d8 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1200.html * Debian: 'sgml-tools' insecure temp files March 7th, 2001 Former versions of sgml-tools created temporary files directly in /tmp in an insecure fashion. Version 1.0.9-15 and higher create a subdirectory first and open temporary files within that directory. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/sgml-tools_1.0.9-15_i386.deb MD5 checksum: bc2d3d8eea05c1b0495724390b2099a4 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1196.html * Debian: 'nextaw', 'xaw3d', and 'xaw95' vulnerabilities March 7th, 2001 It has been reported that the AsciiSrc and MultiSrc widget in the Athena widget library handle temporary files insecurely. Joey Hess has ported the bugfix from XFree86 to these Xaw replacements libraries. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/nextaw_0.5.1-34potato1_i386.deb MD5 checksum: 8d4c42a419d12058a81a4875c0482683 http://security.debian.org/dists/stable/updates/main/ binary-i386/nextawg_0.5.1-34potato1_i386.deb MD5 checksum: b8d4405cf60e0cdae4a67078c3c5df54 http://security.debian.org/dists/stable/updates/main/ binary-i386/xaw3d_1.3-6.9potato1_i386.deb MD5 checksum: c2d82fd02430195fb2e2f63dea884b37 http://security.debian.org/dists/stable/updates/main/ binary-i386/xaw3dg-dev_1.3-6.9potato1_i386.deb MD5 checksum: da8c800a7e533970914beea1288eac86 http://security.debian.org/dists/stable/updates/main/ binary-i386/xaw3dg_1.3-6.9potato1_i386.deb MD5 checksum: f44322639de2bcb5049fa3360602fb79 http://security.debian.org/dists/stable/updates/main/ binary-i386/xaw95g_1.1-4.6potato1_i386.deb MD5 checksum: ad465ec7dd6b7cdf155da49ed40fd0f1 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1195.html * Debian: 'analog' buffer overflow March 7th, 2001 This bug is particularly dangerous if the form interface (which allows unknown users to run the program via a CGI script) has been installed. There doesn't seem to be a known exploit. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/analog_4.01-1potato1_i386.deb MD5 checksum: 67250cafaeca7404a219a9ebf49f3e54 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1191.html * Debian: 'ePerl' buffer overflows March 7th, 2001 When eperl is installed setuid root, it can switch to the UID/GID of the scripts owner. Although Debian doesn't ship the program setuid root, this is a useful feature which people may have activated locally. When the program is used as /usr/lib/cgi-bin/nph-eperl the bugs could lead into a remote vulnerability as well. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/eperl_2.2.14-0.7potato2_i386.deb MD5 checksum: 9675e82dd0a6a04ce32dca5a30bed8bc Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1192.html * Debian: 'man2html' update March 7th, 2001 It has been reported that one can tweak man2html remotely into consuming all available memory. This has been fixed by Nicol?s Lichtmaier with help of Stephan Kulow. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/man2html_1.5-23_i386.deb MD5 checksum: 706b70b961789cd15e32d1d7b53987e0 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1193.html * Debian: 'mc' vulnerability March 7th, 2001 It has been reported that a local user could tweak Midnight Commander of another user into executing a random program under the user id of the person running Midnight Commander. This behaviour has been fixed by Andrew V. Samoilov. Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/gmc_4.5.42-11.potato.6_i386.deb MD5 checksum: 2d2eb51e9ae833b605fc54711cd229fc http://security.debian.org/dists/stable/updates/main/ binary-i386/mc-common_4.5.42-11.potato.6_i386.deb MD5 checksum: 45d65de62f5d7af29cf2ef3b9ab56fd8 http://security.debian.org/dists/stable/updates/main/ binary-i386/mc_4.5.42-11.potato.6_i386.deb MD5 checksum: c58a97f08556e18b6d7f4ff657aa62b0 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1194.html * Debian: proftpd running as root, /var symlink removal March 6th, 2001 There is a configuration error in the postinst script, when the user enters 'yes', when asked if anonymous access should be enabled. The postinst script wrongly leaves the 'run as uid/gid root' configuration option in /etc/proftpd.conf, and adds a 'run as uid/gid nobody' option that has no effect. Intel http://security.debian.org/dists/stable/updates/main/ binary-i386/proftpd_1.2.0pre10-2.0potato1_i386.deb MD5 checksum: 9c0ff3c87e4802316081775fcf80c5d2 * Debian: 'sudo' update March 5th, 2001 The most recent advisory covering sudo missed one architecture that was released with 2.2. Therefore this advisory is only an addition to DSA 031-1 and only adds the relevant package for the powerpc architecture. PowerPC http://security.debian.org/dists/stable/updates/main/ binary-powerpc/sudo_1.6.2p2-1potato1_powerpc.deb MD5 checksum: aed5d9d437b614ab8495cbafe2d421ac Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1186.html * Debian: 'proftpd' vulnerabilities March 5th, 2001 The most recent advisory covering proftpd missed one architecture that was released with Debian GNU/Linux 2.2. Therefore this advisory is only an addition to DSA 029-1 and only adds the relevant package for the Motorola 680x0 architecture. m68k http://security.debian.org/dists/stable/updates/main/ binary-m68k/proftpd_1.2.0pre10-2potato1_m68k.deb MD5 checksum: 96315bb133a487e81944e6cef2358d09 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1185.html * Debian: 'mgetty' vulnerability March 5th, 2001 The most recent advisory covering proftpd missed two architectures that were released with Debian GNU/Linux 2.2. therefore this advisory is only an addition to DSA 011-1 and only adds the relevant package for the Motorola 680x0 and PowerPC architecture. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1184.html +---------------------------------+ | Immunix | ----------------------------// +---------------------------------+ * Immunix: 'joe' vulnerability March 6th, 2001 The version of joe shipped in Immunix OS 6.2 and 7.0-beta looks for a configuration file in the current working directory, the user's home directory and in /etc/joe. A malicious user could create their own .joerc configuration file and try to get other users to use it. Precompiled binary package for Immunix 6.2 is available at: http://immunix.org/ImmunixOS/6.2/updates/RPMS/ joe-2.8-43.62_StackGuard.i386.rpm Precompiled binary package for Immunix 7.0-beta and 7.0 is available at: http://immunix.org/ImmunixOS/7.0/updates/RPMS/ joe-2.8-43.7_imnx.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-1188.html +---------------------------------+ | Mandrake | ----------------------------// +---------------------------------+ * Mandrake: 'ePerl' buffer overflows March 8th, 2001 Several potential buffer overflows in the ePerl package have been found by Fumitoshi Ukai and Denis Barbier. When eperl is installed setuid root, it can switch to the UID/GID of the script's owner. Although Linux-Mandrake does not ship the program setuid root, this is a useful feature which some users may have activated locally on their own. There is also the potential for a remote vulnerability as well. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1197.html * Mandrake: 'joe' vulnerability March 6th, 2001 The joe text editor looks for configuration files in the current working directory, the user's home directory, and finally in /etc/joe. A malicious user could create their own .joerc configuration file and attempt to get other users to use it. If this were to happen, the user could potentially execute malicious commands with their own user ID and privileges. This update removes joe's ability to use a .joerc configuration file in the current working directory. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/mandrake_advisory-1189.html +---------------------------------+ | Red Hat | ----------------------------// +---------------------------------+ * Red Hat: 'joe' vulnerability March 3rd, 2001 When starting, joe looks for a configuration file in the current working directory, the user's home directory, and /etc/joe. A malicious user could create a .joerc file in a world writable directory such as /tmp and make users running joe inside that directory using a .joerc file that is customized to execute commands with their own userids. alpha: ftp://updates.redhat.com/7.0/alpha/joe-2.8-43.7.alpha.rpm 54314afa4b55889eb86413119379e29b i386: ftp://updates.redhat.com/7.0/i386/joe-2.8-43.7.i386.rpm 86c53275430df95d2674b2805c960f5c Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-1182.html +---------------------------------+ | SuSE | ----------------------------// +---------------------------------+ * SuSE: 'cups' vulnerabilities March 5th, 2001 A SuSE-internal security audit conducted by Sebastian Krahmer and Thomas Biege revealed several overflows as well as insecure file handling. These bugs have been fixed by adding length-checks and securing the file-access. SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/d3/ cups-devel-1.1.6-13.i386.rpm 23c6484952ab0c1de81e2db38bcd3afc SuSE-7.1 ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2 /cups-1.1.6-13.i386.rpm 812e0c47dcfe508eb9e8ccb38165b6d7 Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-1183.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch - March 9th 2001 vuln-newsletter-admins (Mar 10)