Information Security News mailing list archives
Linux Advisory Watch - March 9th 2001
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 9 Mar 2001 10:40:57 -0500
+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| March 9th, 2001 Volume 2, Number 10a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave () linuxsecurity com ben () linuxsecurity com
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability.
Debian, Debian, Debian! If your using Debian, its time to update. 13
advisories were just recently released. This week, advisories were
released for Zope, mail, mgetty, proftpd, sudo, analog, ePerl, man2html,
mc, nextaw, sgml-tools, glibc, slrn, joe, and cups. The vendors include
Conectiva, Caldera, Debian, Mandrake, Red Hat, SuSE, and Immunix.
FREE SECURITY BOOKS - Guardian Digital has just announced an offer
for free 2 free security books with the purchase of any secure Linux
Lockbox. The Lockbox is an Open Source network server appliance
engineered to be a complete secure e-business solution. It can be
used as a commerce server, web server, DNS, mail, and database
server.
http://www.guardiandigital.com/bookoffer.html
HTML Version of Newsletter:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| Conectiva | ----------------------------//
+---------------------------------+
* Conectiva: 'Zope' vulnerabilities
March 2nd, 2001
The Zope authors have released a new hotfix that addresses a
vulnerability with ZClasses. A user with through-the-web scripting
capabilities on a Zope site can view and assign class attributes to
ZClasses, possibly allowing
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1180.html
+---------------------------------+
| Caldera | ----------------------------//
+---------------------------------+
* Caldera: '/bin/mail' buffer overflow
March 2nd, 2001
There is a buffer overflow in /bin/mail which allows a local attacker
to read, modify and delete mails of other users of the system.
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
abc1ee0ce4d52ba1dd7059167af66cdc
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1181.html
+---------------------------------+
| Debian | ----------------------------//
+---------------------------------+
* Debian: UPDATE: 'proftpd' vulnerabilities
March 8th, 2001
This is an update to the DSA-032-1 advisory. The powerpc package that
was listed in that advisory was unfortunately compiled on the wrong
system which caused it to not work on a Debian GNU/Linux 2.2 system.
PowerPC architecture:
http://security.debian.org/dists/stable/updates/main/
binary-powerpc/proftpd_1.2.0pre10-2.0potato1.1_powerpc.deb
MD5 checksum: 710e1b324dc8962c14919d0e58078740
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1199.html
* Debian: 'glibc' vulnerabilities
March 8th, 2001
It was possible to use LD_PRELOAD to load libraries that are listed
in /etc/ld.so.cache, even for suid programs. This could be used to
create (and overwrite) files which a user should not be allowed to.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1198.html
* Debian: 'slrn' buffer overflow
March 8th, 2001
Bill Nottingham reported a problem in the wrapping/unwrapping
functions of the slrn newsreader. A long header in a message might
overflow a buffer and which could result into executing arbitraty
code encoded in the message.
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/slrn_0.9.6.2-9potato1_i386.deb
MD5 checksum: c871721245934e479a70fc712fa24021
http://security.debian.org/dists/stable/updates/main/
binary-i386/slrnpull_0.9.6.2-9potato1_i386.deb
MD5 checksum: 2e8c43ac86e3a28ca5c65f40c47315d8
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1200.html
* Debian: 'sgml-tools' insecure temp files
March 7th, 2001
Former versions of sgml-tools created temporary files directly in
/tmp in an insecure fashion. Version 1.0.9-15 and higher create a
subdirectory first and open temporary files within that directory.
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/sgml-tools_1.0.9-15_i386.deb
MD5 checksum: bc2d3d8eea05c1b0495724390b2099a4
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1196.html
* Debian: 'nextaw', 'xaw3d', and 'xaw95' vulnerabilities
March 7th, 2001
It has been reported that the AsciiSrc and MultiSrc widget in the
Athena widget library handle temporary files insecurely. Joey Hess
has ported the bugfix from XFree86 to these Xaw replacements
libraries.
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/nextaw_0.5.1-34potato1_i386.deb
MD5 checksum: 8d4c42a419d12058a81a4875c0482683
http://security.debian.org/dists/stable/updates/main/
binary-i386/nextawg_0.5.1-34potato1_i386.deb
MD5 checksum: b8d4405cf60e0cdae4a67078c3c5df54
http://security.debian.org/dists/stable/updates/main/
binary-i386/xaw3d_1.3-6.9potato1_i386.deb
MD5 checksum: c2d82fd02430195fb2e2f63dea884b37
http://security.debian.org/dists/stable/updates/main/
binary-i386/xaw3dg-dev_1.3-6.9potato1_i386.deb
MD5 checksum: da8c800a7e533970914beea1288eac86
http://security.debian.org/dists/stable/updates/main/
binary-i386/xaw3dg_1.3-6.9potato1_i386.deb
MD5 checksum: f44322639de2bcb5049fa3360602fb79
http://security.debian.org/dists/stable/updates/main/
binary-i386/xaw95g_1.1-4.6potato1_i386.deb
MD5 checksum: ad465ec7dd6b7cdf155da49ed40fd0f1
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1195.html
* Debian: 'analog' buffer overflow
March 7th, 2001
This bug is particularly dangerous if the form interface (which
allows unknown users to run the program via a CGI script) has been
installed. There doesn't seem to be a known exploit.
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/analog_4.01-1potato1_i386.deb
MD5 checksum: 67250cafaeca7404a219a9ebf49f3e54
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1191.html
* Debian: 'ePerl' buffer overflows
March 7th, 2001
When eperl is installed setuid root, it can switch to the UID/GID of
the scripts owner. Although Debian doesn't ship the program setuid
root, this is a useful feature which people may have activated
locally. When the program is used as /usr/lib/cgi-bin/nph-eperl the
bugs could lead into a remote vulnerability as well.
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/eperl_2.2.14-0.7potato2_i386.deb
MD5 checksum: 9675e82dd0a6a04ce32dca5a30bed8bc
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1192.html
* Debian: 'man2html' update
March 7th, 2001
It has been reported that one can tweak man2html remotely into
consuming all available memory. This has been fixed by Nicol?s
Lichtmaier with help of Stephan Kulow.
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/man2html_1.5-23_i386.deb
MD5 checksum: 706b70b961789cd15e32d1d7b53987e0
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1193.html
* Debian: 'mc' vulnerability
March 7th, 2001
It has been reported that a local user could tweak Midnight Commander
of another user into executing a random program under the user id of
the person running Midnight Commander. This behaviour has been fixed
by Andrew V. Samoilov.
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/gmc_4.5.42-11.potato.6_i386.deb
MD5 checksum: 2d2eb51e9ae833b605fc54711cd229fc
http://security.debian.org/dists/stable/updates/main/
binary-i386/mc-common_4.5.42-11.potato.6_i386.deb
MD5 checksum: 45d65de62f5d7af29cf2ef3b9ab56fd8
http://security.debian.org/dists/stable/updates/main/
binary-i386/mc_4.5.42-11.potato.6_i386.deb
MD5 checksum: c58a97f08556e18b6d7f4ff657aa62b0
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1194.html
* Debian: proftpd running as root, /var symlink removal
March 6th, 2001
There is a configuration error in the postinst script, when the user
enters 'yes', when asked if anonymous access should be enabled. The
postinst script wrongly leaves the 'run as uid/gid root'
configuration option in /etc/proftpd.conf, and adds a 'run as uid/gid
nobody' option that has no effect.
Intel
http://security.debian.org/dists/stable/updates/main/
binary-i386/proftpd_1.2.0pre10-2.0potato1_i386.deb
MD5 checksum: 9c0ff3c87e4802316081775fcf80c5d2
* Debian: 'sudo' update
March 5th, 2001
The most recent advisory covering sudo missed one architecture that
was released with 2.2. Therefore this advisory is only an addition to
DSA 031-1 and only adds the relevant package for the powerpc
architecture.
PowerPC
http://security.debian.org/dists/stable/updates/main/
binary-powerpc/sudo_1.6.2p2-1potato1_powerpc.deb
MD5 checksum: aed5d9d437b614ab8495cbafe2d421ac
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1186.html
* Debian: 'proftpd' vulnerabilities
March 5th, 2001
The most recent advisory covering proftpd missed one architecture
that was released with Debian GNU/Linux 2.2. Therefore this advisory
is only an addition to DSA 029-1 and only adds the relevant package
for the Motorola 680x0 architecture.
m68k
http://security.debian.org/dists/stable/updates/main/
binary-m68k/proftpd_1.2.0pre10-2potato1_m68k.deb
MD5 checksum: 96315bb133a487e81944e6cef2358d09
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1185.html
* Debian: 'mgetty' vulnerability
March 5th, 2001
The most recent advisory covering proftpd missed two architectures
that were released with Debian GNU/Linux 2.2. therefore this advisory
is only an addition to DSA 011-1 and only adds the relevant package
for the Motorola 680x0 and PowerPC architecture.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1184.html
+---------------------------------+
| Immunix | ----------------------------//
+---------------------------------+
* Immunix: 'joe' vulnerability
March 6th, 2001
The version of joe shipped in Immunix OS 6.2 and 7.0-beta looks for a
configuration file in the current working directory, the user's home
directory and in /etc/joe. A malicious user could create their own
.joerc configuration file and try to get other users to use it.
Precompiled binary package for Immunix 6.2 is available at:
http://immunix.org/ImmunixOS/6.2/updates/RPMS/
joe-2.8-43.62_StackGuard.i386.rpm
Precompiled binary package for Immunix 7.0-beta and 7.0 is
available at:
http://immunix.org/ImmunixOS/7.0/updates/RPMS/
joe-2.8-43.7_imnx.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1188.html
+---------------------------------+
| Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: 'ePerl' buffer overflows
March 8th, 2001
Several potential buffer overflows in the ePerl package have been
found by Fumitoshi Ukai and Denis Barbier. When eperl is installed
setuid root, it can switch to the UID/GID of the script's owner.
Although Linux-Mandrake does not ship the program setuid root, this
is a useful feature which some users may have activated locally on
their own. There is also the potential for a remote vulnerability as
well.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1197.html
* Mandrake: 'joe' vulnerability
March 6th, 2001
The joe text editor looks for configuration files in the current
working directory, the user's home directory, and finally in
/etc/joe. A malicious user could create their own .joerc
configuration file and attempt to get other users to use it. If this
were to happen, the user could potentially execute malicious commands
with their own user ID and privileges. This update removes joe's
ability to use a .joerc configuration file in the current working
directory.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1189.html
+---------------------------------+
| Red Hat | ----------------------------//
+---------------------------------+
* Red Hat: 'joe' vulnerability
March 3rd, 2001
When starting, joe looks for a configuration file in the current
working directory, the user's home directory, and /etc/joe. A
malicious user could create a .joerc file in a world writable
directory such as /tmp and make users running joe inside that
directory using a .joerc file that is customized to execute commands
with their own userids.
alpha:
ftp://updates.redhat.com/7.0/alpha/joe-2.8-43.7.alpha.rpm
54314afa4b55889eb86413119379e29b
i386:
ftp://updates.redhat.com/7.0/i386/joe-2.8-43.7.i386.rpm
86c53275430df95d2674b2805c960f5c
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1182.html
+---------------------------------+
| SuSE | ----------------------------//
+---------------------------------+
* SuSE: 'cups' vulnerabilities
March 5th, 2001
A SuSE-internal security audit conducted by Sebastian Krahmer and
Thomas Biege revealed several overflows as well as insecure file
handling. These bugs have been fixed by adding length-checks and
securing the file-access.
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/d3/
cups-devel-1.1.6-13.i386.rpm
23c6484952ab0c1de81e2db38bcd3afc
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2
/cups-1.1.6-13.i386.rpm
812e0c47dcfe508eb9e8ccb38165b6d7
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1183.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request () linuxsecurity com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Current thread:
- Linux Advisory Watch - March 9th 2001 vuln-newsletter-admins (Mar 10)