Information Security News mailing list archives
Linux Advisory Watch, Dec 1st 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 1 Dec 2000 00:23:19 -0500
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | December 1st, 2000 Volume 1, Number 31a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com If your using Red Hat, be prepared spend some time patching your system. 16 Red Hat Advisories were recently released! Advisories were released for bash, fsh, ed, me, pine, netscape, joe, ethereal, ghostscript, bind, ncurses, modutils, gnormp, usermode, apache, cyrus-sasl, nsslap, and openssh. The vendors include Caldera, Debian, Immunix, Mandrake, Red Hat, and SuSE. It is critical that you update all vulnerable packages to reduce the risk of being compromised. Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. ### OpenDoc Publishing ### Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html HTML Version: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Caldera Advisories | ----------------------------// +---------------------------------+ * Caldera: 'bash' vulnerability November 27th, 2000 Bash creates temp files for here scripts insecurely. This can be exploited via a symlink attack to create or write over arbitrary files on the system if the shell is run by root. ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ 310d7b5b15517054697264fa449b732e RPMS/bash-1.14.7-14.i386.rpm Vendor Advisory: http://www.linuxsecurity.com/advisories/caldera_advisory-925.html +---------------------------------+ | Debian Advisories | ----------------------------// +---------------------------------+ * Debian: 'mc' local DoS November 25th, 2000 Maurycy Prodeus found a problem in cons.saver, a screensaver for the console that is included in the mc package. cons.saver does not check if it is started with a valid stdout, which combined with a bug in its check to see if its argument is a tty (it forgot to close the file-descriptor after opening the supposed tty) causes it to write a NUL character to the file given as its parameter. http://security.debian.org/dists/stable/updates/main/source/ mc_4.5.42-11.potato.5.diff.gz MD5 checksum: 98428eb4284349e15b21b2cd36fbf55d http://security.debian.org/dists/stable/updates/main/source/ mc_4.5.42-11.potato.5.dsc MD5 checksum: f6bfd1c1c458247e49ec1f73a8da5a47 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-922.html * Debian: 'fsh' symlink attack November 29th, 2000 Colin Phipps found an interesting symlink attack problem in fsh (a tool to quickly run remote commands over rsh/ssh/lsh). When fshd starts it creates a directory in /tmp to hold its sockets. It tries to do that securely by checking of it can chown that directory if it already exists to check if it is owner by the user invoking it. However an attacker can circumvent this check by inserting a symlink to a file that is owner by the user who runs fhsd and replacing that with a directory just before fshd creates thesocket. http://security.debian.org/dists/stable/updates/main/binary-i386/ fsh_1.0.post.1-3potato_i386.deb MD5 checksum: 6d6dd446e87bff6ed57c7176813609c8 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-945.html * Debian: 'ed' vulnerability November 28th, 2000 Alan Cox discovered that GNU ed (a classed line editor tool) created temporary files unsafely. This has been fixed in version0.2-18.1. http://security.debian.org/dists/stable/updates/main/ binary-i386/ed_0.2-18.1_i386.deb MD5 checksum: bb6dbb9648a71c56d2cf1eb353407acf Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-944.html +---------------------------------+ | Mandrake Advisories | ----------------------------// +---------------------------------+ * Mandrake: 'pine' vulnerability November 27th, 2000 By adding specific headers to messages, the pine mail reader could be made to exit with an error message when users attempted to manipulate mail folders containing those messages. http://www.linuxsecurity.com/advisories/mandrake_advisory-935.html * Mandrake: 'bash1' vulnerability November 28th, 2000 The bash1 shell program has the same << vulnerability that tcsh has and incorrectly creates temporary files without the O_EXCL flag. This vulnerability does not exist in bash2 which uses the O_EXCL flag when creating temporary files. http://www.linuxsecurity.com/advisories/mandrake_advisory-943.html +---------------------------------+ | Immunix Advisories | ----------------------------// +---------------------------------+ * Immunix: 'joe' vulnerability November 28th, 2000 A local root exploit is possible if the root user is running the joe editor. http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/RPMS/ joe-2.8-43_StackGuard.i386.rpm MD5 Checksum: 56831a982a06cdf37e5c358b2f41aa34 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-936.html * Immunix: 'netscape' buffer overflow November 28th, 2000 New netscape packages are available that fix a buffer overflow when parsing HTML http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/RPMS/ netscape-common-4.76-1.i386.rpm MD5 Checksum: dfa6bdfa255b83d3f68c83fa83765aca http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/RPMS/ netscape-communicator-4.76-1.i386.rpm MD5 Checksum: f8d77e2fee0f5315fed6aeb8fd083d2f http://www.immunix.org:8080/ImmunixOS/7.0-beta/updates/RPMS/ netscape-navigator-4.76-1.i386.rpm MD5 Checksum: aaf7a0497d972380432d98ca09616660 Vendor Advisory: http://www.linuxsecurity.com/advisories/other_advisory-937.html +---------------------------------+ | Red Hat Advisories | ----------------------------// +---------------------------------+ * RedHat: 'ethereal' buffer overflow November 29th, 2000 Versions of Ethereal prior to 0.8.14 are vulnerable to buffer overflows.The ethereal-0.8.14 packages correct this problem. Red Hat Powertools 7.0: alpha: ftp://updates.redhat.com/powertools/7.0/alpha/ethereal-0.8.14-3.alpha.rpm MD5 Checksum: f66c8f700e762f1fcd03659f0e27626a i386: ftp://updates.redhat.com/powertools/7.0/i386/ethereal-0.8.14-3.i386.rpm MD5 Checksum: fd164d3509dde25d21fd7cb926ba0e65 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-946.html * Redhat: 'netscape' buffer overflow November 28th, 2000 A buffer overflow exists in Netscape's HTML parsing code. By using specially designed code, a remote website could cause arbitrary code to be run on the local machine. Red Hat Linux 7.0 alpha: ftp://updates.redhat.com/7.0/alpha/netscape-common-4.76-1.alpha.rpm ftp://updates.redhat.com/7.0/alpha/netscape-communicator-4.76-1.alpha.rpm ftp://updates.redhat.com/7.0/alpha/netscape-navigator-4.76-1.alpha.rpm i386: ftp://updates.redhat.com/7.0/i386/netscape-common-4.76-1.i386.rpm ftp://updates.redhat.com/7.0/i386/netscape-communicator-4.76-1.i386.rpm ftp://updates.redhat.com/7.0/i386/netscape-navigator-4.76-1.i386.rpm MD5 Checksum in vendor advisory. Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-938.html * Redhat: 'bind' update November 28th, 2000 A bug in bind 8.2.2_P5 allows for a denial of service attack. If named is open to zone transfers and recursive resolving, it will crash after a ZXFR for the authoritative zone and a query of a remote hostname. Red Hat Linux 7.0: alpha ftp://updates.redhat.com/7.0/alpha/bind-8.2.2_P7-2.alpha.rpm ftp://updates.redhat.com/7.0/alpha/bind-devel-8.2.2_P7-2.alpha.rpm ftp://updates.redhat.com/7.0/alpha/bind-utils-8.2.2_P7-2.alpha.rpm i386: ftp://updates.redhat.com/7.0/i386/bind-8.2.2_P7-1.i386.rpm ftp://updates.redhat.com/7.0/i386/bind-devel-8.2.2_P7-1.i386.rpm ftp://updates.redhat.com/7.0/i386/bind-utils-8.2.2_P7-1.i386.rpm MD5 Checksums available in vendor advisory. Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-941.html * Redhat: 'ghostscript' vulnerabilities November 28th, 2000 ghostscript makes use of mktemp to create temp files, which is an insecure and predictable apporoach, it is now patched to use mkstemp, which avoid the race condition on the name.It also uses improper LD_RUN_PATH values, causing ghostscript to search for libraries to load in current directorys. Red Hat Linux 7.0: alpha: ftp://updates.redhat.com/7.0/alpha/ghostscript-5.50-8.alpha.rpm MD5 Checksum: bd8b80bada77d59ee28aa72f6e5674e4 i386: ftp://updates.redhat.com/7.0/i386/ghostscript-5.50-8.i386.rpm MD5 Checksum: 0d5f4448d5245721b1e2762f360791f2 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-942.html * Redhat: 'ncurses' vulnerabilty November 28th, 2000 Attackers can force a privileged application to use their own termcap file containing a special terminal entry which will trigger the ncurses vulnerability, allowing them to execute arbitrary code with the privileges of the exploited binary. Red Hat Linux 7.0: i386: ftp://updates.redhat.com/7.0/i386/ncurses-devel-5.2-2.i386.rpm MD5 Checksum: 9affe6c75ae33d616ea695766c10e44e ftp://updates.redhat.com/7.0/i386/ncurses-devel-5.2-2.i386.rpm MD5 Checksum: a555ec460de5650c4a2c42abc5de838c Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-923.html * RedHat: 'nss_ldap' vulnerabilities November 27th, 2000 A race condition has been found in the nss_ldap package. On a system running nscd, a malicious user can cause the system to hang. Red Hat Linux 7.0: alpha: ftp://updates.redhat.com/7.0/alpha/nss_ldap-122-1.7.alpha.rpm MD5 Checksum: 8c47242abcd4aa16174cb41da27cdd12 i386: ftp://updates.redhat.com/7.0/i386/nss_ldap-122-1.7.i386.rpm MD5 Checksum: 95337178e79472118cf33b0584462679 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-927.html * RedHat7: 'cyrus-sasl' vulnerabilities November 27th, 2000 An error existed in the authorization checks in the version of cyrus-sasl shipped with Red Hat Linux 7. Due to this bug, users who had been successfully authenticated could be allowed access to resources even if the system had been configured to deny these users access. Versions of cyrus-sasl included in previous releases of Red Hat Power Tools did not implement this function and are not affected by this bug. Red Hat Linux 7.0: alpha: ftp://updates.redhat.com/7.0/alpha/cyrus-sasl-1.5.24-11.alpha.rpm MD5 Checksum: 0e6f0edb4df1489e1a12e5ea16f9f828 i386: ftp://updates.redhat.com/7.0/i386/cyrus-sasl-1.5.24-11.i386.rpm MD5 Checksum: 59aaec92c60ddaed257bd581d976055b Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-928.html * RedHat: Apache and other updates November 27th, 2000 A vulnerability in the mod_rewrite module and vulnerabilities in the virtual hosting facility in versions of Apache prior to 1.3.14 may allow attackers to view files on the server which are meant to be inaccessible. Format string vulnerabilities have been found in PHP versions 3 and 4. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-929.html * RedHat: 'usermode' vulnerability November 27th, 2000 The usermode package contains a binary (/usr/bin/userhelper), which is used to control access to programs which are to be executed as root. Because programs invoked by userhelper are not actually running setuid-root, security measures built into recent versions of glibc are not active. Red Hat Linux 7.0: alpha: ftp://updates.redhat.com/7.0/alpha/usermode-1.37-2.alpha.rpm MD5 Checksum: 6cd3999fa6015fcf301b502d4a416373 i386: ftp://updates.redhat.com/7.0/i386/usermode-1.37-2.i386.rpm MD5 Checksum: c32888b6f362b04f8a3805d4465c042a Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-930.html * RedHat: UPDATE: 'gnorpm' vulnerability November 27th, 2000 While fixing other problems with the gnorpm package, a locally-exploitable security hole was found where a normal user could trick root running GnoRPM into writing to arbitrary files due to a bug in the gnorpm tmp filehandling. Red Hat Linux 7.0: alpha: ftp://updates.redhat.com/7.0/alpha/gnorpm-0.95.1-5.alpha.rpm MD5 Checksum: 48f5f0dc6a0b17cd204a9bc6ab6c2a86 i386: ftp://updates.redhat.com/7.0/i386/gnorpm-0.95.1-5.i386.rpm MD5 Checksum: 1df97ee9659fc0f10c2f06ef69954228 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-931.html * RedHat: 'joe' symlink vulnerability November 27th, 2000 When exiting joe in a nonstandard way (such as a system crash, closing an xterm, or a network connection going down), joe will unconditionally append its open buffers to the file "DEADJOE". This could be exploited by the creation of DEADJOE symlinks in directories where root would normally use joe. In this way, joe could be used to append garbage topotentially-sensitive files, resulting in a denial of service. Red Hat Linux 7.0:i386: ftp://updates.redhat.com/7.0/i386/joe-2.8-43.i386.rpm MD5 Checksum: 1578b0e184b76b23d2a30b101f1665d4 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-932.html * RedHat: 'modutils' vulnerability November 27th, 2000 The previous packages of modutils released to address a local root compromise contained an error in new safe guards that caused them to not properly be enabled when run as root from the kmod process. These new safe guards check the arguments passed to modules. The new 2.3.21 modutils package fixes this error and correctly checks the arguments when running from kmod, limiting kernel module arguments to those specified in /etc/conf.modules (on Red Hat Linux 6.2) or /etc/modules.conf (on Red Hat Linux 7). This release supersedes the previous modutils errata packages. Red Hat Linux 7.0: alpha: ftp://updates.redhat.com/7.0/alpha/modutils-2.3.21-1.alpha.rpm MD5 Checksum: 6f68c415e4ec7f18bc68e987e488056b i386: ftp://updates.redhat.com/7.0/i386/modutils-2.3.21-1.i386.rpm MD5 Checksum: 46b7f3331bccd927d9d7fefbec74f721 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-933.html * RedHat: 'pine' denial of service vulnerability November 27th, 2000 By adding specific headers to messages, the pine mail reader and the imap server could be made to exit with an error message when users attempted to manipulate mail folders containing those messages. This release also introduces SSL support to Red Hat Linux 6.x, Kerberos support for Red Hat Linux 6.0 and 6.1, and LDAP support for Red Hat Linux 6.0. This means that the packages from the enhancement advisories for these packages will also need to be installed. Red Hat Linux 7.0: alpha: ftp://updates.redhat.com/7.0/alpha/pine-4.30-2.alpha.rpm ftp://updates.redhat.com/7.0/alpha/imap-2000-3.alpha.rpm ftp://updates.redhat.com/7.0/alpha/imap-devel-2000-3.alpha.rpm i386: ftp://updates.redhat.com/7.0/i386/pine-4.30-2.i386.rpm ftp://updates.redhat.com/7.0/i386/imap-2000-3.i386.rpm ftp://updates.redhat.com/7.0/i386/imap-devel-2000-3.i386.rpm MD5 Checksums available in vendor advisory Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-934.html * Redhat: 'bash 1.x' vulnerability November 27th, 2000 The << operator in bash 1.x used predictable filenames, leading to a potential denial of service attack. A local user account is required to exploit the security leak. Red Hat Linux 6.2: alpha: ftp://updates.redhat.com/6.2/alpha/bash-1.14.7-23.6x.alpha.rpm MD5 Checksum: 19ed96c0935ef630215736d242911c98 sparc: ftp://updates.redhat.com/6.2/sparc/bash-1.14.7-23.6x.sparc.rpm MD5 Checksum: 1a92e61a4d5c7989b26d687dfe881a5c i386: ftp://updates.redhat.com/6.2/i386/bash-1.14.7-23.6x.i386.rpm MD5 Checksum: 9fe492b13c08e7993a918d0395fda486 Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-924.html * RedHat7: 'openssh' vulnerability November 27th, 2000 An OpenSSH client will do agent or X11 forwarding at the request of a server, even if the user has not requested that it be done. A malicious server can exploit this vulnerability to gain access to the user's display. i386: ftp://updates.redhat.com/7.0/i386/openssh-2.3.0p1-4.i386.rpm ftp://updates.redhat.com/7.0/i386/openssh-clients-2.3.0p1-4.i386.rpm ftp://updates.redhat.com/7.0/i386/openssh-server-2.3.0p1-4.i386.rpm ftp://updates.redhat.com/7.0/i386/openssh-askpass-2.3.0p1-4.i386.rpm ftp://updates.redhat.com/7.0/i386/ openssh-askpass-gnome-2.3.0p1-4.i386.rpm MD5 Checksum's available in advisory. Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-926.html * Redhat; 'ncurses' vulnerability November 26th, 2000 Attackers can force a privileged application to use their own termcap file containing a special terminal entry which will trigger the ncurses vulnerability, allowing them to execute arbitrary code with the privileges of the exploited binary. Red Hat Linux 7.0: i386: ftp://updates.redhat.com/7.0/i386/ncurses-devel-5.2-2.i386.rpm MD5 Checksum: 9affe6c75ae33d616ea695766c10e44e ftp://updates.redhat.com/7.0/i386/ncurses-devel-5.2-2.i386.rpm MD5 Checksum: a555ec460de5650c4a2c42abc5de838c Vendor Advisory: http://www.linuxsecurity.com/advisories/redhat_advisory-923.html +---------------------------------+ | SuSE Advisories | ----------------------------// +---------------------------------+ * SuSE: 'netscape' buffer overflow November 30th, 2000 It may be possible for an attacker to supply a webpage that executes arbitrary code as the user running netscape. As of today, no exploit code is known to exist in the wild. Intel i386 Platform SuSE-7.0 SuSE-6.4 SuSE-6.3 SuSE-6.2 ftp://ftp.suse.com/pub/suse/i386/update/7.0/xap1/ netscape-4.76.glibc21.i386.rpm MD5 Checksum: 7ccebaca7df0937a3c08fc30a27af858 SuSE-6.1 SuSE-6.0 ftp://ftp.suse.com/pub/suse/i386/update/5.3/xap1/ netscape-4.76.libc5.i386.rpm MD5 Checksum: 3c4f06c5fea4755083524eb135627380 * SuSE: 'openssh/ssh' vulnerability November 24th, 2000 Many vulnerabilities have been found in the openssh package, along with a compilation roblem in the openssh and ssh packages in the SuSE-7.0 distribution: An openssh client (the ssh program) can accept X11- or ssh-agent forwarding requests even though these forwarding capabilities have not been requested by the client side after successful authentication. Using these weaknesses, an attacker could gain access to the authentication agent which may hold multiple user-owned authentification identities, or to the X-server on the client side as if requested by the user. i386 Intel Platform: SuSE-7.0 ftp://ftp.suse.de/pub/suse/i386/update/7.0/sec1/ openssh-2.3.0p1-0.i386.rpm MD5 Checksum: 3c7b9044ffb64f9f74c904eb2b278eb2 Sparc Platform: SuSE-7.0 ftp://ftp.suse.de/pub/suse/sparc/update/7.0/sec1/ openssh-2.3.0p1-0.sparc.rpm MD5 Checksum: 898aaaacee88777429496f1a5658076f AXP Alpha Platform: SuSE-7.0 ftp://ftp.suse.de/pub/suse/axp/update/7.0/sec1/ openssh-2.3.0p1-0.alpha.rpm MD5 Checksum: dd12c60b2744455780c976b115b26f27 PPC Power PC Platform: SuSE-7.0 ftp://ftp.suse.de/pub/suse/ppc/update/7.0/sec1/ openssh-2.3.0p1-0.ppc.rpm MD5 Checksum: 72f7c339991e54a476585012423dda62 Vendor Advisory: http://www.linuxsecurity.com/advisories/suse_advisory-916.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch, Dec 1st 2000 vuln-newsletter-admins (Dec 02)